23542300x800000000000000025301Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:31.704{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE12F8D0BA7C5986472597AAE9CBF44,SHA256=EC73B6986DD86666E3A088B3DCD996E6395CAAA6CDED8358270133F85E6EFB8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047117Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.838{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047116Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.838{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047115Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.837{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047114Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.837{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047113Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.837{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047112Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.836{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047111Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.836{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000047110Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:31.800{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.6811844916430964287C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047109Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:31.800{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.6811844916430964287C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047108Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.777{C8F4C507-61C9-6140-9208-00000000F001}3664648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047107Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:31.777{C8F4C507-6257-6140-DD08-00000000F001}6364\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047106Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:31.773{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.6194272261485191427C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047105Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:31.773{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.6194272261485191427C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047104Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:31.764{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17404060153776191793C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047103Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:31.764{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17404060153776191793C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047102Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.752{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047101Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.752{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6257-6140-DD08-00000000F001}6364C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047100Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:31.750{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.8490014228683262187C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047099Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:31.750{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.8490014228683262187C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047098Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.729{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84378D1B8CD4A451FC7FCAC91D6B2480,SHA256=1CC0F820294C038885DCF247841FAADFF2623D37C5B288A7B64022173019606F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000047097Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:29.930{C8F4C507-61CB-6140-9408-00000000F001}4428content-autofill.googleapis.com0142.250.181.234;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047096Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:29.851{C8F4C507-61CB-6140-9408-00000000F001}4428apis.google.com0type: 5 plus.l.google.com;142.250.181.238;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047095Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:29.432{C8F4C507-61CB-6140-9408-00000000F001}4428consent.youtube.com0142.250.186.174;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047094Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:29.257{C8F4C507-61CB-6140-9408-00000000F001}4428consent.google.de0172.217.16.142;C:\Program Files\Google\Chrome\Application\chrome.exe 354300x800000000000000047093Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:30.171{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50150-false10.0.1.12-8000- 354300x800000000000000047092Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:29.998{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50149-false142.250.185.98fra16s49-in-f2.1e100.net443https 354300x800000000000000047091Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:29.995{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59817- 354300x800000000000000047090Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:29.925{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local61185-false142.250.181.234fra16s56-in-f10.1e100.net443https 354300x800000000000000047089Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:29.850{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local58551-false142.250.181.238fra16s56-in-f14.1e100.net443https 23542300x800000000000000025303Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:32.845{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972F0BA416224E20BDE17C62EA538395,SHA256=C329672516054C4D76CCB3F94F5FE617AF9A2C71D84B4C05C52A4008B047933C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047138Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.817{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DB7B2AEEDC3460F278635E61C63831,SHA256=C9D41CFB3583EC5AD1429E77E3ADFFE99786FEA0A6E87AB6E5D53A373D302862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047137Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.807{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435311C5A02BD920B4483A5D0867CE32,SHA256=FBBBE6EF52DAC1B875C7E41EC1253F5FBC88FC3447A2E433CF308CC2E7E6059F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047136Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.807{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17C3AAD787D66CEC35AE2D725CA8787A,SHA256=DC33D09BBAD23FD3D1659B9D1DD3B5A33F759D4816DA6AAFC0A7A311CBE29423,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025302Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:28.673{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000047135Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:30.503{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61027- 354300x800000000000000047134Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:30.477{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62040- 354300x800000000000000047133Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:30.477{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61027- 10341000x800000000000000047132Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.411{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047131Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.411{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047130Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.411{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047129Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.411{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047128Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.411{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047127Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.410{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047126Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.410{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047125Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.352{C8F4C507-61C9-6140-9208-00000000F001}36645648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047124Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:32.352{C8F4C507-6258-6140-DE08-00000000F001}7016\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047123Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:32.332{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17899705080833647407C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047122Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:32.332{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17899705080833647407C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047121Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.324{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047120Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.324{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6258-6140-DE08-00000000F001}7016C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047119Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:32.308{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.3505009285782878886C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047118Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:32.308{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.3505009285782878886C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000025304Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:33.861{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3294E0DF896C7860994EF633A0890267,SHA256=EC8FFBBF553D1B8F836641DCDBB4BCB86DD8F6B165A14E73B7467D2FDAD60466,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047196Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.981{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047195Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.981{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047194Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.981{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047193Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.981{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047192Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.981{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047191Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.981{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047190Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.980{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047189Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.969{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047188Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.969{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047187Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.969{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047186Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.968{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047185Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.968{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047184Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.968{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047183Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.968{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047182Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.942{C8F4C507-61C9-6140-9208-00000000F001}3664648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047181Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.941{C8F4C507-6259-6140-E108-00000000F001}2316\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047180Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.928{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.16506612531010341666C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047179Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.928{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.16506612531010341666C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047178Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.923{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047177Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.923{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E108-00000000F001}2316C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047176Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.921{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.7609370729040577770C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047175Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.921{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.7609370729040577770C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047174Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.909{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.10341004427615672681C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047173Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.909{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.10341004427615672681C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047172Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.909{C8F4C507-61C9-6140-9208-00000000F001}36645648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047171Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.909{C8F4C507-6259-6140-E008-00000000F001}5440\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047170Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.899{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.1142401485339171778C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047169Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.899{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.1142401485339171778C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047168Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.895{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047167Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.895{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-E008-00000000F001}5440C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047166Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.893{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.5511056859536216324C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047165Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.892{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.5511056859536216324C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047164Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.836{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DB088923AB11C86AC954465C78CC5A,SHA256=E718B1299DD5366BA8AC7A62B0AE864A5353B95474D70C193A43AEA78365513B,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000047163Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.790{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17510250618657614259C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047162Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.790{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17510250618657614259C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047161Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.782{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.18265978341935526094C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047160Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.781{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.18265978341935526094C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047159Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.593{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047158Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.593{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047157Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.592{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047156Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.592{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047155Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.592{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047154Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.592{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047153Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.592{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047152Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.552{C8F4C507-61C9-6140-9208-00000000F001}3664648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047151Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.552{C8F4C507-6259-6140-DF08-00000000F001}1960\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047150Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.541{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.10099910091013745856C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047149Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.541{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.10099910091013745856C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047148Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.538{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047147Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.537{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6259-6140-DF08-00000000F001}1960C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047146Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.533{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.15738627630228837226C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047145Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.533{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.15738627630228837226C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047144Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.514{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.13015006674895985923C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047143Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.514{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.13015006674895985923C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047142Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:33.497{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.3210030104311509381C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047141Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:33.497{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.3210030104311509381C:\Program Files\Google\Chrome\Application\chrome.exe 354300x800000000000000047140Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.496{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local52378- 354300x800000000000000047139Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:31.496{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50168- 23542300x800000000000000025305Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:34.876{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE9DF86300B930DF6132F7CC1B61FCE,SHA256=265AF717691B4530269310412B6A5651DBF6DBA8D0B16616B794B324781A0AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047223Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.899{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3528F7619813E87A1D814594874D0D4,SHA256=F3C382E3FF61E1569A9CA17D27C9BD8D3C41B94EDA0511BEDA4BEDE5D3D6330D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047222Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.574{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8749F2419164E6BC39CE42681E423019,SHA256=1DD6FADDA3C35A62EF8E9C2CE58073750519D46426121C134449C0AD8922BCD0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000047221Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:32.917{C8F4C507-61CB-6140-9408-00000000F001}4428www.bancobrasil.com.br0type: 5 www.dc.bb.com.br;170.66.192.50;170.66.11.10;C:\Program Files\Google\Chrome\Application\chrome.exe 354300x800000000000000047220Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.170{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local65281-false170.66.192.50-443https 354300x800000000000000047219Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.134{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local54308-false170.66.192.50-443https 354300x800000000000000047218Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:33.131{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50129-false170.66.192.50-443https 18141800x800000000000000047217Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:34.390{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.4526562818635909631C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047216Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:34.390{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.4526562818635909631C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047215Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.309{C8F4C507-61C9-6140-9208-00000000F001}3664648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625A-6140-E308-00000000F001}1752C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047214Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:34.309{C8F4C507-625A-6140-E308-00000000F001}1752\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047213Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:34.292{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17900939010625611239C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047212Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:34.292{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17900939010625611239C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047211Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.279{C8F4C507-61C9-6140-9208-00000000F001}36645648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625A-6140-E208-00000000F001}1816C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047210Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:34.278{C8F4C507-625A-6140-E208-00000000F001}1816\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047209Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.275{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-625A-6140-E308-00000000F001}1752C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047208Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.275{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625A-6140-E308-00000000F001}1752C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047207Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:34.273{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.2445849141878455009C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047206Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:34.273{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.2445849141878455009C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047205Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:34.257{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17736773618413555322C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047204Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:34.257{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17736773618413555322C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047203Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.241{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-625A-6140-E208-00000000F001}1816C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047202Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.241{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625A-6140-E208-00000000F001}1816C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047201Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:34.239{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.8901489725689205653C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047200Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:34.239{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.8901489725689205653C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047199Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.099{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBE10A8B6C0A069B59290CFAEE5C8A8,SHA256=1E541D9AA68326EF8C33477BA8E26E305B8FDC0441359BF885D1A63BB52CE55E,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000047198Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:34.012{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.6150209004901433229C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047197Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:34.012{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.6150209004901433229C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047230Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:35.904{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09FB0FBB9905188A729F18511D90443,SHA256=7CE71079BE6881BBAEE58B63F3E09AA71E026D0CFA033CE250E01151FDED4C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025306Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:35.908{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65BA08DCFDD5264D11DD0B4B45FE05E,SHA256=0A8401A21886C39BB6E0028B2AF27B76F516D61B98C4B531BE25CA0EBC5061D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047229Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:35.755{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DE96205F5AFD20DDB7E6536D87CD39BD,SHA256=E2E75142DC8D0C5482CD2CD3C49AF5D36A0CBD0E3A4098CE96892CD8D91B2F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047228Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:35.755{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29E6D19C8CAC038F0EC0AFF7DA1B997A,SHA256=49D9180CCAAE7CAA5957AAD1E44419CCB09327EE2A950D3C45BC96F1C1022E7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047227Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.511{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local57493-false142.250.185.234fra16s53-in-f10.1e100.net443https 354300x800000000000000047226Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.146{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64082- 354300x800000000000000047225Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.120{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64082- 22542200x800000000000000047224Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.359{C8F4C507-61CB-6140-9408-00000000F001}4428www100.bb.com.br0170.66.72.5;C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000025307Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:36.939{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4F276FA2E01E7D82346D0281D15874,SHA256=E778201111AF7D4665DE72A626C8B29636221A7EEB82BFA865CE8CF693B444D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047237Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:36.969{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047236Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:36.911{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAE48B99D1874295B1157D74CDC5202,SHA256=28DF67B782FA4810EAF045D1001582E5152E101040B0D5C74CB24B52BC7A0686,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047235Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:35.333{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local57494-false10.0.1.12-8000- 354300x800000000000000047234Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.596{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local54998-false170.66.72.5-443https 354300x800000000000000047233Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.586{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local65328-false142.250.181.238fra16s56-in-f14.1e100.net443https 354300x800000000000000047232Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:34.584{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local60996-false170.66.72.5-443https 23542300x800000000000000047231Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:36.269{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF624895.TMPMD5=0A15B1645BE60AF1BE6873A52916A9F3,SHA256=7D701D711429B77901BDCC59771B214ED4BEEC363F464F3687B09831589B8C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047279Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.930{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFF27CDAA325142D279D182DE76CA29,SHA256=6FD7B047C457F51CA6BAA676A13D96A9C755E720BF4E1BE49AEFCF088419AB6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025308Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:33.747{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50895-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 18141800x800000000000000047278Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.922{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.2633474290371452720C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047277Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:37.922{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.2633474290371452720C:\Program Files\Google\Chrome\Application\chrome.exe 354300x800000000000000047276Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:36.590{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49519- 354300x800000000000000047275Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:36.564{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local49519- 23542300x800000000000000047274Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.441{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7611C123260FE0CEA95B3BE35A1CB3A,SHA256=C626E8107308CF803DE03C51A02C782565AB4E316C729FC89A10FA591E25FCD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047273Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.372{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047272Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.372{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047271Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.372{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047270Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.372{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047269Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.372{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047268Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.370{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047267Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.370{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000047266Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.318{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.15734719303058130939C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047265Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:37.318{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.15734719303058130939C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047264Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.301{C8F4C507-61C9-6140-9208-00000000F001}3664648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047263Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.301{C8F4C507-625D-6140-E508-00000000F001}6308\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047262Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.287{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.4015426192600436257C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047261Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:37.287{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.4015426192600436257C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047260Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.279{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047259Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.277{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E508-00000000F001}6308C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047258Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.275{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.13922105229040200158C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047257Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:37.275{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.13922105229040200158C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047256Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.241{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047255Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.239{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047254Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.239{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047253Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.239{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047252Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.239{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047251Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.239{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047250Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.239{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000047249Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.215{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.8883226890286429334C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047248Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:37.214{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.8883226890286429334C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047247Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.207{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.9856119615100147951C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047246Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:37.207{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.9856119615100147951C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047245Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.183{C8F4C507-61C9-6140-9208-00000000F001}36645648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047244Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.183{C8F4C507-625D-6140-E408-00000000F001}4456\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047243Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.163{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.16868421880346209227C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047242Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:37.163{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.16868421880346209227C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047241Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.153{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047240Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.153{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-625D-6140-E408-00000000F001}4456C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047239Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:37.149{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.11267115645986164045C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047238Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:37.148{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.11267115645986164045C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047303Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:38.974{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF625324.TMPMD5=DCC6F6EC8CB57825DE39A09AC957E784,SHA256=E19CA66A25732528E6B60BFA71BDCA135A1E0AD052F5B30DC9FF5AD9537457B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047302Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:38.941{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0890E8761143DE92FF49DCD335138A,SHA256=3F6E05A50C6025A6244D2E248B318BF49E250491ADEE6E9B573C099C142A394A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025309Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:38.033{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAE68AAF311764BE71DDB44990B632F,SHA256=880B0D053BF3E9EE176C251C7AAF9D37B24E25C152D24144A0D0E338CE0305AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047301Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.735{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local62005-false170.66.11.10www.bb.com.br443https 354300x800000000000000047300Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.652{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local59695-false142.250.185.163fra16s51-in-f3.1e100.net443https 354300x800000000000000047299Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.513{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local64228-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000047298Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.513{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local56853-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000047297Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.513{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local56591-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000047296Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.513{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local59767-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000047295Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.475{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local60235-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000047294Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.475{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50904-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000047293Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.474{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local58577-false185.199.110.133cdn-185-199-110-133.github.com443https 354300x800000000000000047292Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.471{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local57598-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000047291Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.467{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local57725-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000047290Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.467{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local63752-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000047289Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.467{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local58942-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000047288Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.462{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local63402- 354300x800000000000000047287Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.462{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local65166- 354300x800000000000000047286Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.409{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local51719-false140.82.121.3lb-140-82-121-3-fra.github.com443https 354300x800000000000000047285Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.404{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local52741- 354300x800000000000000047284Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.271{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50450- 354300x800000000000000047283Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.072{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local57495-false10.0.1.12-8089- 22542200x800000000000000047282Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.474{C8F4C507-61CB-6140-9408-00000000F001}4428avatars.githubusercontent.com0185.199.110.133;185.199.111.133;185.199.108.133;185.199.109.133;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047281Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.416{C8F4C507-61CB-6140-9408-00000000F001}4428github.com0140.82.121.3;C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047280Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:38.162{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1362D5F8E8C1F6432EE17E05676C61A,SHA256=CF1A932F08C617F0F3F3CB4D7CC5CFBD92AB28F452B1222F0BA5A9E95C9FBE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047308Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:39.949{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3CC9653EC04CBA11FF51D87B345C52,SHA256=BCF12922F556160A5BE1728AD8E8079FD91FF9C28A6EC6565BCBB377796A0C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025310Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:39.064{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1246BA768854BB20493D9FAE824E3D88,SHA256=EE725E43B172972B6A1F6F5E333FF8B31A46E3AA425871FF20232F9EF6F8900A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047307Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:38.479{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local49651-false142.250.185.98fra16s49-in-f2.1e100.net443https 354300x800000000000000047306Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:38.370{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local59110-false142.250.185.234fra16s53-in-f10.1e100.net443https 22542200x800000000000000047305Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:37.474{C8F4C507-61CB-6140-9408-00000000F001}4428github.githubassets.com0185.199.109.154;185.199.110.154;185.199.111.154;185.199.108.154;C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047304Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:39.471{C8F4C507-61CB-6140-9408-00000000F001}4428ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF625518.TMPMD5=F30B0F7F013DC2EE664669AB8E410B81,SHA256=BFB1FD98F921F57097B586B4278AB74A204E7B5551B2B2A3150484487ADD17CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047315Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:40.950{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD155D813EF6B0C51F6C91B9E0E88F8B,SHA256=F4EAD64F7E71540ED506F6A996DDEF9530446683ABB151AE157194174C69EDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025311Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:40.079{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C90BA9919050AD585D934826E2FD84,SHA256=CBD5E88C2FE0A4210A3057580476909C41AEC6E957532212A5CD33CE261D7BC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047314Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:39.514{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local55918-false170.66.72.2-443https 354300x800000000000000047313Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:39.477{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50007-false170.66.72.2-443https 354300x800000000000000047312Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:38.576{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50361- 354300x800000000000000047311Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:38.576{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59050- 354300x800000000000000047310Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:38.576{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50257- 22542200x800000000000000047309Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:39.268{C8F4C507-61CB-6140-9408-00000000F001}4428eni.bb.com.br0170.66.72.2;C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047317Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:41.982{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F6160F1DBB216722D703CF615951B7,SHA256=7B0D8A1E9B062748FDC7B7D7C76F104790F4FE7BD4919C6B9530C91E2E4702AC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000047316Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:39.553{C8F4C507-61CB-6140-9408-00000000F001}4428github9003-C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000025312Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:41.095{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDAF29775965C9938BBC588DFF52D97,SHA256=F470CB68F956A338FA5DF49F37AC14F760A5DBFA357089343FC9B048A6E1A4ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025313Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:42.111{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED579FEBB90D7EE28C19671B49F46CBB,SHA256=9789798DDAEB8C522D5B372B157A23EE2E8439908DF30FF431A024AE2172102B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047319Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:40.621{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59862- 354300x800000000000000047318Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:40.595{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59862- 354300x800000000000000025315Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:39.763{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50896-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025314Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:43.126{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4922C804533ABCECA776144B92590D80,SHA256=87CB53EF218ECCE46171B02249B408D038D1E21F89B76FDFD3D0C5B38C02A4D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047333Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.973{C8F4C507-61C9-6140-9208-00000000F001}36645648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6263-6140-E608-00000000F001}5672C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047332Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:43.973{C8F4C507-6263-6140-E608-00000000F001}5672\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047331Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:43.973{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.9870278376198288533C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047330Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:43.973{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.9870278376198288533C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047329Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.942{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6263-6140-E608-00000000F001}5672C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047328Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.942{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6263-6140-E608-00000000F001}5672C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047327Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:43.942{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17215606942422071260C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047326Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:43.942{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.17215606942422071260C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047325Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.566{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4934-6140-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000047324Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:42.522{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local56816-false170.66.11.10www.bb.com.br443https 354300x800000000000000047323Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:42.297{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local59513-false170.66.11.10www.bb.com.br443https 354300x800000000000000047322Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:42.172{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local52968-false170.66.11.10www.bb.com.br443https 354300x800000000000000047321Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:41.146{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local55919-false10.0.1.12-8000- 23542300x800000000000000047320Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.012{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFBA8871DB0AAB55C90BCFD9D7C38ED,SHA256=A07909645D9109881C1BEE17B3555F497BA1D82F88037AACF5BBB0599E293419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025316Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:44.142{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06993AE34B267DA9AFF20508C8BCC832,SHA256=0EA5D63603A631E716FDFC99D270BA4176076FA3DF8013798C14B3E6617F570D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047341Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.582{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-158.attackrange.local56818-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000047340Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.582{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local56818-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000047339Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.571{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local56817-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000047338Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.571{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local56817-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 23542300x800000000000000047337Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:44.456{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6E89303A032F1743EC145B959092D7B,SHA256=D2FC6F1FD6218EECF53FD7CCF79649E34B5C79CCBC596CBA1C8CF05E17CCFEDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047336Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:44.456{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C14F7983AF6CC403DD8E1EFC8606144D,SHA256=6057930F1EF4EADED092B56D28E3BC8E5749E0C5ED588FB51B71903D2F6BAC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047335Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:44.303{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\chrome_BITS_2256_1751195639\0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crxMD5=B92BBCFD3C31F799C5863D78154DB555,SHA256=6F6BC93DCD62DC251850D2FF458FDA96083CEB7FBE8EEB11248B8485EF2AEA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047334Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:44.030{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585A6B775D2BF7FCB5ED15B8350FED33,SHA256=355442CF22E4C911B2CE2F1C2C0FAA0F7B3E1BEFAD829E8AC887CAD3935B55CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025317Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:45.149{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882C601A9647CEDFE75FA75D81BC8FBF,SHA256=105CCC1EB8F310A69DA8DE7D9707F2669EB71CC212047825CDDC7925BA6F562C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047353Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:44.430{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local51611-false142.250.181.227fra16s56-in-f3.1e100.net443https 354300x800000000000000047352Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.692{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local56819-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 354300x800000000000000047351Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:43.692{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local56819-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 23542300x800000000000000047350Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:45.572{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=E2943BEF20C5436E5B36EB89FC997D42,SHA256=8F8491DB7BBF660D59D1021C51E099035FB80EA9D4B58BE968DBD99FECFF46DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047349Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:45.571{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=FD030627EC9E381B6A3F10D8700C007C,SHA256=E94A769D39EEC5BBB86667A4582E5015BCCD1F13FADF16272B922C07047487F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047348Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:45.569{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=EB1B03D5937DCB50A7897BC6C0708B12,SHA256=BDC38BA53D2C825E1680F9F30AEFA8037FE57946DE9FF3D50247CE1D1C3C53C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047347Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:45.568{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=93568DA6306B04E87A98AE6EB72FD008,SHA256=0AAD74572B68964B4AABDE13649E5CCE41CA92BF621E53DE5D2841CC2A0FA918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047346Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:45.567{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=B3E8516770DBE991DE5359503A9D4893,SHA256=0428ABDD704E60AD0905F7A82D3C4A816607B5043BFB47ADE896059D5943AD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047345Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:45.566{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=AE2E7FA79A760265281790BB6EEA9EBE,SHA256=4B8054F542CC1D9A93C871A444B0D21DFA1EF8FC67641137204AEE8A15DDFCB5,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000047344Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:45.335{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.1832683540006258865C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047343Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:45.335{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.1832683540006258865C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047342Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:45.041{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E08FA13FEC809B760842A114C46F91C,SHA256=284684540E52C9733A5B2CB901A3C7EBDD27061F076F96CB6C6594F74477E0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025318Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:46.165{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5EA7DFC57E16A535302A3F200AAB05,SHA256=438A651F7C3D096EF7C1E15DC7B349BB66909D02A7A2AA37B15421878743D713,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047355Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:44.893{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local56228-false170.66.11.10www.bb.com.br443https 23542300x800000000000000047354Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:46.056{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6996A2B00451F909EDA2CF4E802D4314,SHA256=D5E14BC116B2F84DA0EC8233769987B8E54A6467DA864D807E8D39426C8EA21C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047368Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.837{C8F4C507-6267-6140-E708-00000000F001}62925284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047367Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:46.255{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local56229-false10.0.1.12-8000- 354300x800000000000000047366Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:45.677{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local63306-false142.250.181.234fra16s56-in-f10.1e100.net443https 10341000x800000000000000047365Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.590{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6267-6140-E708-00000000F001}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047364Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.590{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047363Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.590{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047362Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.590{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6267-6140-E708-00000000F001}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047361Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.590{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047360Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.590{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047359Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.590{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6267-6140-E708-00000000F001}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047358Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.591{C8F4C507-6267-6140-E708-00000000F001}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047357Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.175{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF627320.TMPMD5=0B42401854BF2F95A9A56B4263356FCD,SHA256=49BBE7F3DE2DF8D1A6D0B72203D421F25075B2D781F8916F0AC8C731FADEC481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047356Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:47.059{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFEE2E45A7CDF09410C59A2366A2B8A,SHA256=9429FAC9D4C1421B9A8C1051B1E75DC10C55138B241738426C14D2AF2547DEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025319Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:47.165{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71F8E3069D26275DE519FC436B087B7,SHA256=0CECB04B820E35D4D8C37554292665723050850022CF88FAF0607F535562362D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025321Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:44.789{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50897-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025320Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:48.180{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463EC835A56D9B63B29B58906C9811F4,SHA256=F7AD9601BB26D8362DFA597F045696AFC97ADFBF2E1DAA1F415F29ED43E7A548,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047386Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.921{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6268-6140-E908-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047385Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.921{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047384Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.921{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047383Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.921{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047382Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.921{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047381Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.921{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6268-6140-E908-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047380Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.921{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6268-6140-E908-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047379Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.922{C8F4C507-6268-6140-E908-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047378Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.605{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6E89303A032F1743EC145B959092D7B,SHA256=D2FC6F1FD6218EECF53FD7CCF79649E34B5C79CCBC596CBA1C8CF05E17CCFEDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047377Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.258{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6268-6140-E808-00000000F001}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047376Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.258{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6268-6140-E808-00000000F001}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047375Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.258{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047374Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.258{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047373Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.258{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047372Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.258{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047371Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.258{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6268-6140-E808-00000000F001}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047370Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.259{C8F4C507-6268-6140-E808-00000000F001}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047369Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:48.074{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32C9E87FB7951708069DEE402BDE776,SHA256=8B11BBD106EE17A5D5D43C1AF201E6E0144D136CECEA158E9719ADE91289F365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047389Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:49.939{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EADD0B44CB028D2C3315B3B8EA9B42E,SHA256=B3E9045F916C721904B499857D95C204ECC4174851E71091C082559756FC3E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047388Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:49.858{C8F4C507-61CB-6140-9408-00000000F001}4428ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF627daf.TMPMD5=593F3099E9F0DC49D959EC492BC4411C,SHA256=21D516C41588EB2FE214DD0FCF972B0ED8F6669E5061B710DEABDA7C691C5E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047387Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:49.090{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F14AEBFD3FC04B18A8B499F51F6E34,SHA256=D834EC1B591CA2D1D49EEFF0843DF3004681CC90FFB67A2BCEBA964D8EB2B693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025322Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:49.196{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1686FA6CDE910A10FA57C8732C34E7D2,SHA256=2BC260B9DB73302BA603C153BD854D5E8AE47B634D6E04DD6C5268216DB9631B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025323Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:50.212{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EFE9FE557BD9B3008F0FDDE1115931,SHA256=B7979CD8FBAA874ED301CF2F4772BDE61B95E43C30757B9B2B10F78A4A2AF54C,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000047436Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.422{C8F4C507-61CB-6140-9408-00000000F001}4428s.yimg.com0type: 5 edge.gycpi.b.yahoodns.net;87.248.118.23;87.248.118.22;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047435Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.405{C8F4C507-61CB-6140-9408-00000000F001}4428connect.facebook.net0type: 5 scontent.xx.fbcdn.net;157.240.20.19;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047434Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.370{C8F4C507-61CB-6140-9408-00000000F001}4428snap.licdn.com0type: 5 wildcard.licdn.com.edgekey.net;type: 5 e9706.dscg.akamaiedge.net;23.210.253.242;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047433Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.282{C8F4C507-61CB-6140-9408-00000000F001}4428www.google.de0142.250.185.131;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047432Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.275{C8F4C507-61CB-6140-9408-00000000F001}4428analytics.google.com0type: 5 www3.l.google.com;142.250.185.206;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047431Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.199{C8F4C507-61CB-6140-9408-00000000F001}4428apimesabi.relacionamento360.com.br020.55.56.125;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047430Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:49.268{C8F4C507-61CB-6140-9408-00000000F001}4428www101.bb.com.br0170.66.72.4;C:\Program Files\Google\Chrome\Application\chrome.exe 354300x800000000000000047429Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:49.493{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local58727-false170.66.72.4-443https 354300x800000000000000047428Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:49.077{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50369- 354300x800000000000000047427Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:49.044{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50369- 23542300x800000000000000047426Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.639{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5C190C74161C721B38866D8A22F1D6,SHA256=3E908315FC3D34D2DEDAA3545E043414E42E5C917399867536216912495DA1C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047425Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.544{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047424Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.544{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047423Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.544{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047422Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.544{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047421Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.544{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047420Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.544{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047419Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.544{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000047418Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:50.511{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.550887860240040029C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047417Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:50.511{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.550887860240040029C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047416Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.482{C8F4C507-61C9-6140-9208-00000000F001}36645648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047415Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:50.482{C8F4C507-626A-6140-EB08-00000000F001}6828\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047414Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:50.469{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.13972529633406323820C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047413Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:50.469{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.13972529633406323820C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047412Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.461{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047411Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.460{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EB08-00000000F001}6828C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047410Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:50.458{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.17879061143617033499C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047409Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:50.458{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.17879061143617033499C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047408Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.429{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF627fe1.TMPMD5=163C43F78CB31EE275414DA80796BEAF,SHA256=7E7981BBC961E49A0101558A067DB8752CEB0A057A4C77742596C387DE5DBA9A,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000047407Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:50.399{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.2180815116807454247C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047406Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:50.399{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.2180815116807454247C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047405Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.373{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047404Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.373{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047403Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.368{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047402Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.365{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047401Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.365{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047400Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.365{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047399Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.365{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047398Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.298{C8F4C507-61C9-6140-9208-00000000F001}3664648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047397Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:50.298{C8F4C507-626A-6140-EA08-00000000F001}4948\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047396Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:50.277{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.15076547628792722483C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047395Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:50.277{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.15076547628792722483C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047394Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.268{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047393Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.268{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626A-6140-EA08-00000000F001}4948C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047392Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:50.266{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.9079351659669059288C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047391Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:50.266{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.9079351659669059288C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047390Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.117{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7F219F8F855624C05AF9DBDB128108,SHA256=B5AED2D479FE998E726A18D06EEA8101BAED86B42A6D1CC67207C334B70187F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025324Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:51.227{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E9E85002E516FA37FAE06393F59D9B,SHA256=2915E96542A0CA79BA047E455BB0ED953CE90291C2D1B654AE4C6B77F17157F3,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000047490Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.557{C8F4C507-61CB-6140-9408-00000000F001}4428www.facebook.com0type: 5 star-mini.c10r.facebook.com;157.240.20.35;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047489Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.040{C8F4C507-61CB-6140-9408-00000000F001}4428www.linkedin.com0type: 5 www-linkedin-com.l-0005.l-msedge.net;type: 5 l-0005.l-msedge.net;13.107.42.14;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047488Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.590{C8F4C507-61CB-6140-9408-00000000F001}4428adservice.google.de0type: 5 pagead46.l.doubleclick.net;142.250.185.162;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047487Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.567{C8F4C507-61C9-6140-9108-00000000F001}2256apps.identrust.com0type: 5 apps.digsigtrust.com;::ffff:192.35.177.64;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047486Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.538{C8F4C507-61CB-6140-9408-00000000F001}4428px.ads.linkedin.com0type: 5 mix.linkedin.com;type: 5 glb-na.mix.linkedin.com;type: 5 pop-esv5.mix.linkedin.com;108.174.11.37;C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047485Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.768{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=241300145DF836E8FFB20B7A90A5E89C,SHA256=2AA0AD9C3E6583AC1A069366B1F6BD4789A7B06B3F8F7628D10159A19817EC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047484Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.767{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DE96205F5AFD20DDB7E6536D87CD39BD,SHA256=E2E75142DC8D0C5482CD2CD3C49AF5D36A0CBD0E3A4098CE96892CD8D91B2F55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047483Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.742{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local52690- 354300x800000000000000047482Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.711{C8F4C507-61C9-6140-9108-00000000F001}2256C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local61903-false192.35.177.64-80http 354300x800000000000000047481Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.680{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local61902-false108.174.11.37108-174-11-37.fwd.linkedin.com443https 354300x800000000000000047480Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.656{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local54126-false20.55.56.125-443https 354300x800000000000000047479Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.645{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59412-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000047478Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.645{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59412-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000047477Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.583{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local59411-false142.250.185.162fra16s51-in-f2.1e100.net443https 354300x800000000000000047476Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.581{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local65447- 354300x800000000000000047475Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.528{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58077- 354300x800000000000000047474Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.520{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local61207-false87.248.118.23e2.ycpi.vip.deb.yahoo.com443https 354300x800000000000000047473Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.513{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local63786-false142.250.185.131fra16s50-in-f3.1e100.net443https 354300x800000000000000047472Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.481{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local58076-false142.250.184.230fra24s12-in-f6.1e100.net443https 354300x800000000000000047471Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.432{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local55141-false87.248.118.23e2.ycpi.vip.deb.yahoo.com443https 354300x800000000000000047470Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.412{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64164- 354300x800000000000000047469Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.411{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58075- 354300x800000000000000047468Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.401{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50609-false142.250.184.230fra24s12-in-f6.1e100.net443https 354300x800000000000000047467Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.399{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local59353-false157.240.20.19xx-fbcdn-shv-02-frt3.fbcdn.net443https 354300x800000000000000047466Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.395{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local49601- 354300x800000000000000047465Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.387{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59639- 354300x800000000000000047464Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.383{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58075- 354300x800000000000000047463Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.363{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local60664-false23.210.253.242a23-210-253-242.deploy.static.akamaitechnologies.com443https 354300x800000000000000047462Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.360{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61160- 354300x800000000000000047461Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.330{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local64593-false173.194.76.157ws-in-f157.1e100.net443https 354300x800000000000000047460Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.304{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local58074-false142.250.185.110fra16s49-in-f14.1e100.net443https 354300x800000000000000047459Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.279{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local62840-false20.55.56.125-443https 354300x800000000000000047458Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.277{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local64492-false173.194.76.157ws-in-f157.1e100.net443https 354300x800000000000000047457Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.277{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local63325-false142.250.185.131fra16s50-in-f3.1e100.net443https 10341000x800000000000000047456Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.522{C8F4C507-626B-6140-EC08-00000000F001}52083916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047455Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.338{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-626B-6140-EC08-00000000F001}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047454Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.336{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047453Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.336{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047452Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.336{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047451Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.335{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047450Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.335{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-626B-6140-EC08-00000000F001}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047449Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.335{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-626B-6140-EC08-00000000F001}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047448Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.334{C8F4C507-626B-6140-EC08-00000000F001}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047447Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.274{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FAD1D34BAAFED5E2EBDF420C0E88052,SHA256=70AF7E0917A2088CBC8B85CC7863729BC30EE2B6F6586C3472055A618066A229,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047446Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.270{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58542- 354300x800000000000000047445Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.268{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local52043-false142.250.185.206fra16s52-in-f14.1e100.net443https 354300x800000000000000047444Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.265{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58729- 354300x800000000000000047443Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.183{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58410- 354300x800000000000000047442Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.151{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local56692-false142.250.185.110fra16s49-in-f14.1e100.net443https 354300x800000000000000047441Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.147{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local49240- 354300x800000000000000047440Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.144{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local58069-false142.250.186.104fra24s06-in-f8.1e100.net443https 23542300x800000000000000047439Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.125{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C65427F176EED73077DD4501989A4E8,SHA256=817E0847EB968CDD2A367C2BCC9B2032AF1E0B2F95443B3B3E6D34C06FBD41A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047438Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.043{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local56373-false142.250.186.104fra24s06-in-f8.1e100.net443https 354300x800000000000000047437Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:50.040{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51453- 23542300x800000000000000025325Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:52.243{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3E9501B1D678BA428CC2890023F044,SHA256=F3EEEABC65A6946B82C5AEF0B6C349FF9EDD1BBC786990051430CC9DCE9958D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047511Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.888{C8F4C507-626C-6140-ED08-00000000F001}28444508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047510Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.748{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51364- 354300x800000000000000047509Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.748{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62321- 354300x800000000000000047508Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.748{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51883- 354300x800000000000000047507Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.747{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59894- 354300x800000000000000047506Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.747{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59707- 354300x800000000000000047505Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.550{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local61223-false157.240.20.35edge-star-mini-shv-02-frt3.facebook.com443https 354300x800000000000000047504Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.448{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local64465-false212.82.100.181spdc.pbp.vip.ir2.yahoo.com443https 354300x800000000000000047503Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.188{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local60283-false157.240.20.19xx-fbcdn-shv-02-frt3.fbcdn.net443https 354300x800000000000000047502Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.035{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local56131-false13.107.42.14-443https 354300x800000000000000047501Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.030{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59031- 10341000x800000000000000047500Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.585{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-626C-6140-ED08-00000000F001}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047499Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.584{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047498Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.583{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047497Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.583{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047496Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.583{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047495Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.583{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-626C-6140-ED08-00000000F001}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047494Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.583{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-626C-6140-ED08-00000000F001}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047493Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.582{C8F4C507-626C-6140-ED08-00000000F001}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047492Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.340{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34B627292273F511109CC34D37A59CBA,SHA256=CCC83ED78B5A471DE22384930DDB6D0F9F6F9137684E532AAFF470D177907B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047491Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.175{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB8BD05A72B82E9DEFF3385C347AB4B,SHA256=F7000EB281DD231D54F4A1FC08BC6B789BFA7D3341B72CCDD0C13CD9D3371631,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047546Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.133{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local61224-false10.0.1.12-8000- 354300x800000000000000047545Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.774{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58219- 354300x800000000000000047544Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.773{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51883- 354300x800000000000000047543Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.749{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58219- 354300x800000000000000047542Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:51.749{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58078- 10341000x800000000000000047541Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.617{C8F4C507-626D-6140-EF08-00000000F001}40566956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047540Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.587{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B5401015EB4F479A3C1C91A3015A0B5,SHA256=E2758864EC29FD215E6B9F8E3AB036597804E2C9A7077D9C194408C9114F0BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047539Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.468{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9B97B025B272ED8B1556C4019248C7,SHA256=2CE838CFECA7CBDD968BD2195DF08DDEF609F50B7D2FDC5B2EE4C3862BD5A0A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047538Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.373{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-626D-6140-EF08-00000000F001}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047537Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:53.372{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.10818494340413336717C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047536Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:53.372{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.10818494340413336717C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047535Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.370{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047534Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.370{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047533Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.370{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047532Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.370{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047531Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.370{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-626D-6140-EF08-00000000F001}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047530Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.369{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-626D-6140-EF08-00000000F001}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047529Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.369{C8F4C507-626D-6140-EF08-00000000F001}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000047528Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:53.354{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.9790672831964841642C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047527Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:53.354{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.9790672831964841642C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000025326Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:53.258{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3E593B8C51BA71C83EA856080D3CDB,SHA256=EDA9F06F4EF8C6017B6F339EB5D4570A51607D4F3CCDA71A860E30A49DB4A7C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047526Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.082{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047525Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.082{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047524Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.082{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047523Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.082{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047522Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.082{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047521Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.082{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047520Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.082{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047519Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.045{C8F4C507-61C9-6140-9208-00000000F001}3664648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047518Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:53.045{C8F4C507-626D-6140-EE08-00000000F001}524\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047517Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:53.033{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.13341630868378803081C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047516Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:53.033{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.13341630868378803081C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047515Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.025{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047514Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.024{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-626D-6140-EE08-00000000F001}524C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047513Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:53.021{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.15102286867507332913C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047512Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:53.021{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.15102286867507332913C:\Program Files\Google\Chrome\Application\chrome.exe 354300x800000000000000047566Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.504{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local60964-false157.240.20.19xx-fbcdn-shv-02-frt3.fbcdn.net443https 354300x800000000000000047565Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.504{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local57957-false157.240.20.19xx-fbcdn-shv-02-frt3.fbcdn.net443https 354300x800000000000000047564Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.504{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local49415-false157.240.20.19xx-fbcdn-shv-02-frt3.fbcdn.net443https 354300x800000000000000047563Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.503{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50751-false157.240.20.19xx-fbcdn-shv-02-frt3.fbcdn.net443https 354300x800000000000000047562Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.503{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local64737-false157.240.20.19xx-fbcdn-shv-02-frt3.fbcdn.net443https 354300x800000000000000047561Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.502{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local63814-false157.240.20.19xx-fbcdn-shv-02-frt3.fbcdn.net443https 354300x800000000000000047560Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.497{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51617- 354300x800000000000000047559Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.267{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local60044-false157.240.20.35edge-star-mini-shv-02-frt3.facebook.com443https 354300x800000000000000047558Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.761{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59205- 354300x800000000000000047557Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.759{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local63472- 354300x800000000000000047556Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:52.753{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local52000- 23542300x800000000000000047555Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:54.636{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3EB884F16944059F95BB2395D4CE14,SHA256=CD5194882718816745969CFFF448C7F2165410818C26471D94603796996BDF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025328Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:54.274{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26AB7291D9B54509A4B892883743518,SHA256=7280A933A23DEABE5CBBB4994A4F409873EF55F7D0C1C4ACD8A53C507431A2FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047554Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:54.057{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-626E-6140-F008-00000000F001}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047553Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:54.053{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047552Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:54.053{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047551Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:54.053{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047550Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:54.053{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047549Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:54.052{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-626E-6140-F008-00000000F001}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047548Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:54.052{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-626E-6140-F008-00000000F001}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047547Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:54.050{C8F4C507-626E-6140-F008-00000000F001}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025327Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:50.738{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047570Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:55.643{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF64B0470D441949E7EFF2B7B70B8D3A,SHA256=E2D9A5E9E962A418D10F7E12B887F71A82F6AF962D00F4FCA356D2914764DEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025329Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:55.290{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407A691CC5008BC58B7E04BE0D6C42D5,SHA256=24D99E36A0B2233B39EC352CAF25D42E1DC69B518DD1210DF46D016B1DEC4792,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000047569Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.507{C8F4C507-61CB-6140-9408-00000000F001}4428static.xx.fbcdn.net0type: 5 scontent.xx.fbcdn.net;157.240.20.19;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047568Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:53.166{C8F4C507-61CB-6140-9408-00000000F001}4428facebook.com0157.240.20.35;C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047567Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:55.058{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60DBC13ADC409669E588A4D069B49B1E,SHA256=7328737BF65A02CA5F2F68A106408C701DA769D1C107CF4A0DF4862588AD43EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047571Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:56.658{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E2E2C8EB87FC319FE75C0A67EEDEB5,SHA256=A270BB7CBB648C640889CF0ABACE65A877C5DA9B7468727D2DB6C95725320B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025330Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:56.305{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F176539A44DB306E3D24016B5A7ECFC,SHA256=6D3B69CD66EAF8EE3D7E28DD960A25DB43FF166CF0CBCE94F639620BC5F156D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047573Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:56.042{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local62151-false142.250.185.206fra16s52-in-f14.1e100.net443https 23542300x800000000000000047572Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:57.661{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE3B23C70C107DF3B5E056E485A739C,SHA256=07EDEF8579420DCFFE189E7328B29D7C42C0DF7291AA7E6D507DE50814A48174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025331Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:57.321{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F20186EF08D6FAB7140E209AFD9A96,SHA256=DB59B264E3E6A44A258F9A30F5F588B51817C90E1A3B35CDAD15DE260CECF265,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047590Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:57.340{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local60965-false10.0.1.12-8000- 23542300x800000000000000047589Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.673{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D264138F5B1A9B07DA02226DCA474A,SHA256=BBA45CCF7BABCED8DA9837650DC9A1F9AC1CBB804023952457F022984F98B25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025332Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:58.337{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1C2401BD555EEB92EEA8CF552DBC23,SHA256=7A64E3571A60CF9D8EC5994F5A8B3B0597C78ADD8A423C14D98B0441EF9C9CB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047588Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.536{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047587Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.536{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047586Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.536{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047585Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.536{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047584Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.536{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047583Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.536{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047582Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.536{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e35|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f512|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+d3f28a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5e850e|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3687cc2|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a548|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+317a669|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3b9274a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3a40bdc|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b0f6c|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+31131af|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+5a784|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+921773|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39926|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b396a4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+18c7ece|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b39493|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000047581Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.500{C8F4C507-61C9-6140-9208-00000000F001}36645648C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\chrome.exe+3e13f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047580Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:58.500{C8F4C507-6272-6140-F108-00000000F001}6168\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047579Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:58.480{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.11940303480563738776C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047578Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:58.480{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.11940303480563738776C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047577Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.473{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047576Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.473{C8F4C507-61C9-6140-9108-00000000F001}22564156C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-6272-6140-F108-00000000F001}6168C:\Program Files\Google\Chrome\Application\chrome.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Google\Chrome\Application\chrome.exe+3f075|C:\Program Files\Google\Chrome\Application\chrome.exe+ae1f5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+29cf454|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd4551|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd39e4|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+cd3439|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+32b27cd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30d607|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3788365|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+37872c1|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+3786ba8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+30dbd8|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000047575Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:58.467{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.8862963612726269550C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047574Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:58.467{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.5724.8862963612726269550C:\Program Files\Google\Chrome\Application\chrome.exe 354300x800000000000000047600Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.765{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50560-false98.137.11.163media-router-fp74.prod.media.vip.gq1.yahoo.com443https 354300x800000000000000047599Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.764{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50502-false98.137.11.163media-router-fp74.prod.media.vip.gq1.yahoo.com443https 354300x800000000000000047598Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.606{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50758- 23542300x800000000000000047597Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.681{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C75E8714B3F211D828A59BAEDDC3A8,SHA256=5789E2D9F6D97B8C293A1A3755901AA8C2F672C0BA536F3657E530D7187DE61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025333Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:59.352{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483C5D5070A02065893B0E9CAA07CD9B,SHA256=9A235105F9F8C814ED3D368059312B74992B888837E0F37B4106A5D8AE423CD8,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000047596Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:59.571{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.6777450270607759921C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047595Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:59.571{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.6777450270607759921C:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047594Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:50:59.553{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.15484067981633429150C:\Program Files\Google\Chrome\Application\chrome.exe 17141700x800000000000000047593Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:50:59.553{C8F4C507-61C9-6140-9108-00000000F001}2256\mojo.2256.3920.15484067981633429150C:\Program Files\Google\Chrome\Application\chrome.exe 23542300x800000000000000047592Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.477{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6D386416C29D9524AB863551452490C,SHA256=E6BFDFE0EA0B24B5E20617749DA6954C6F7B50B76A2F1B2590CF8579E9576A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047591Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.272{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF62a26d.TMPMD5=22675B7F9B127CECFC2DA7FDE1125AC7,SHA256=206BDCCDA7E1AA9A18CB4F4E289C9374FD140B539AC3BEA7D38F844433119C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047649Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.873{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local65102- 354300x800000000000000047648Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.867{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local63680- 354300x800000000000000047647Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.860{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local60594-false152.195.132.116-443https 354300x800000000000000047646Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.849{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51764- 354300x800000000000000047645Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.837{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local64284-false67.26.138.30-443https 354300x800000000000000047644Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.831{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local63798-false41.63.96.128-443https 354300x800000000000000047643Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.831{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local61680-false87.248.118.23e2.ycpi.vip.deb.yahoo.com443https 354300x800000000000000047642Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.830{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local55865-false65.9.58.178-443https 354300x800000000000000047641Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.828{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64873- 354300x800000000000000047640Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.827{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64121- 354300x800000000000000047639Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.824{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51764- 354300x800000000000000047638Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.822{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61578- 354300x800000000000000047637Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.820{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60585- 354300x800000000000000047636Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.773{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local58228-false188.125.72.139media-router-brb71.prod.media.vip.ir2.yahoo.com443https 354300x800000000000000047635Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.741{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51637- 354300x800000000000000047634Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.555{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local61110-false54.170.210.81ec2-54-170-210-81.eu-west-1.compute.amazonaws.com443https 354300x800000000000000047633Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.529{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62387- 354300x800000000000000047632Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.426{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local52020-false52.208.96.136ec2-52-208-96-136.eu-west-1.compute.amazonaws.com443https 354300x800000000000000047631Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.403{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59698- 354300x800000000000000047630Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.333{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local61008-false87.248.100.215media-router-fp73.prod.media.vip.ir2.yahoo.com443https 354300x800000000000000047629Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.209{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65449- 23542300x800000000000000047628Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.693{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DA674C68FA9865940BB35DF73C9C87,SHA256=36EA8C3A5A73449558A15456764B12F6A2DABF4ED79B4BF088612A8B8360CA97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025335Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:50:56.723{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50899-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025334Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:00.368{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CFC10AFE89D1C6BD0B557F55DDD424,SHA256=5DD05EE3206AFCB4E43D1FD299967505239CE4EF2EDE2160637100DD396AA4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047627Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.662{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\permissions.sqlite-journalMD5=C5A32AF5CDC590A891D1DEEBB5E45A19,SHA256=9B0BDAFB1B560DBB697FD1504E231F7DD4ECE0CB45D6544098D5981B09445052,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047626Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.546{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x800000000000000047625Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.543{C8F4C507-5C87-6140-B607-00000000F001}33727076C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047624Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.543{C8F4C507-618F-6140-6D08-00000000F001}31684684C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047623Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.543{C8F4C507-618F-6140-6D08-00000000F001}31684684C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047622Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.525{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047621Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.525{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000047620Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.867{C8F4C507-61CB-6140-9408-00000000F001}4428edgecast-vod.yahoo.net0type: 5 cs929.wpc.lambdacdn.net;152.195.132.116;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047619Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.859{C8F4C507-61CB-6140-9408-00000000F001}4428dns-rjzc9hwev.sombrero.yahoo.net0type: 5 edge.gycpi.b.yahoodns.net;87.248.118.22;87.248.118.23;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047618Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.846{C8F4C507-61CB-6140-9408-00000000F001}4428v-cbwqxjvtsj.wc.yahoodns.net067.195.160.106;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047617Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.844{C8F4C507-61CB-6140-9408-00000000F001}4428vop-yahoo.secure.footprint.net067.26.138.30;8.248.138.157;67.27.157.1;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047616Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.841{C8F4C507-61CB-6140-9408-00000000F001}4428v-ag9e1orcdp.wc.yahoodns.net0115.178.9.9;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047615Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.838{C8F4C507-61CB-6140-9408-00000000F001}4428yahoovod.hs.llnwd.net041.63.96.128;41.63.96.0;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047614Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.837{C8F4C507-61CB-6140-9408-00000000F001}4428cerebro.edna.yahoo.net0type: 5 edge.gycpi.b.yahoodns.net;87.248.118.23;87.248.118.22;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047613Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.836{C8F4C507-61CB-6140-9408-00000000F001}4428d1vl8wytztdz.cloudfront.net065.9.58.178;65.9.58.173;65.9.58.40;65.9.58.189;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047612Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.834{C8F4C507-61CB-6140-9408-00000000F001}4428v-b9rh5is3h9.wc.yahoodns.net0119.161.16.77;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047611Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.755{C8F4C507-61CB-6140-9408-00000000F001}4428csp.yahoo.com0type: 5 media-router-brb1.prod.media.g03.yahoodns.net;188.125.72.139;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047610Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.728{C8F4C507-61CB-6140-9408-00000000F001}4428edge-mcdn.secure.yahoo.com0type: 5 edge.gycpi.b.yahoodns.net;87.248.118.22;87.248.118.23;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047609Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.540{C8F4C507-61CB-6140-9408-00000000F001}4428consent.yahoo.com0type: 5 real.rotation.guce.aws.oath.cloud;type: 5 prod-rotation-v2.guce.aws.oath.cloud;54.170.210.81;52.18.59.239;34.241.241.254;52.214.129.220;54.76.85.175;52.31.4.102;34.245.244.86;52.208.96.136;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047608Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.413{C8F4C507-61CB-6140-9408-00000000F001}4428guce.yahoo.com0type: 5 real.rotation.guce.aws.oath.cloud;type: 5 prod-rotation-v2.guce.aws.oath.cloud;52.208.96.136;54.170.210.81;52.18.59.239;34.241.241.254;52.214.129.220;54.76.85.175;52.31.4.102;34.245.244.86;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047607Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.315{C8F4C507-61CB-6140-9408-00000000F001}4428de.yahoo.com0type: 5 atsv2-fp-shed.wg1.b.yahoo.com;87.248.100.215;87.248.100.216;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047606Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.097{C8F4C507-61CB-6140-9408-00000000F001}4428www.yahoo.com0type: 5 new-fp-shed.wg1.b.yahoo.com;87.248.100.215;87.248.100.216;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047605Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:58.616{C8F4C507-61CB-6140-9408-00000000F001}4428yahoo.com098.137.11.163;74.6.231.21;98.137.11.164;74.6.231.20;74.6.143.26;74.6.143.25;C:\Program Files\Google\Chrome\Application\chrome.exe 354300x800000000000000047604Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.183{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local65449- 354300x800000000000000047603Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.114{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local65455-false87.248.100.215media-router-fp73.prod.media.vip.ir2.yahoo.com443https 354300x800000000000000047602Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.086{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62126- 23542300x800000000000000047601Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.007{C8F4C507-61CB-6140-9408-00000000F001}4428ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF62a54b.TMPMD5=4958343E4F3ACD33C9D8D700075A0E67,SHA256=451D298636596697D78EEE50B4A3553570EEE05C7CA4664A66D25843CCA7F331,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047684Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.817{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local61558-false69.147.93.126-443https 354300x800000000000000047683Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.722{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64719- 354300x800000000000000047682Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.714{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50904- 354300x800000000000000047681Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.714{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local49321- 354300x800000000000000047680Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.363{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local52192-false115.178.9.9e2.ycpi.aue.yahoo.com443https 354300x800000000000000047679Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.359{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local64473-false119.161.16.77-443https 354300x800000000000000047678Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.115{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local62361-false119.161.16.77-443https 354300x800000000000000047677Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.113{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local57526-false115.178.9.9e2.ycpi.aue.yahoo.com443https 354300x800000000000000047676Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.993{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local49721-false67.195.160.106o1.ycpi.gq1.yahoo.com443https 354300x800000000000000047675Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.898{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58077- 354300x800000000000000047674Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.898{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65102- 354300x800000000000000047673Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.874{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local53075-false23.213.161.68a23-213-161-68.deploy.static.akamaitechnologies.com443https 23542300x800000000000000047672Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.863{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E760CFE1124B5C3C303724B2187F62EA,SHA256=D5DFDE4698D2A5668FF21250D36A64277CF3105BA98989A80CF85710D126CD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025336Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:01.383{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788991A986C3BCAE0A75469E30CEE59E,SHA256=F9FEBBC91421A449C4F946F1A11062E9F5B43C160B82472C3C337FCCF12E6438,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000047671Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.739{C8F4C507-61CB-6140-9408-00000000F001}4428ybar-b9rh5is3h9report.wc.yahoodns.net0200.152.173.200;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047670Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.737{C8F4C507-61CB-6140-9408-00000000F001}4428ybar-cbwqxjvtsjreport.wc.yahoodns.net069.147.93.126;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047669Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.726{C8F4C507-61CB-6140-9408-00000000F001}4428ybar-ag9e1orcdpreport.wc.yahoodns.net067.195.160.106;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047668Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.724{C8F4C507-61CB-6140-9408-00000000F001}4428ybar-mcdn-report.wc.yahoodns.net0115.178.9.9;C:\Program Files\Google\Chrome\Application\chrome.exe 22542200x800000000000000047667Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:50:59.878{C8F4C507-61CB-6140-9408-00000000F001}4428vop-yahoo.akamaized.net0type: 5 a759.w10.akamai.net;23.213.161.68;23.213.161.72;C:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047666Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.262{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x800000000000000047665Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.262{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x800000000000000047664Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.262{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+27c138b|C:\Program Files\Mozilla Firefox\xul.dll+27b4476|C:\Program Files\Mozilla Firefox\xul.dll+bfe10a|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32 10341000x800000000000000047663Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.262{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x800000000000000047662Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.247{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047661Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.247{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047660Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.247{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047659Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.247{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047658Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.220{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047657Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.220{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047656Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.220{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047655Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.220{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047654Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.220{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047653Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.220{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x800000000000000047652Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.151{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 10341000x800000000000000047651Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.151{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 10341000x800000000000000047650Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.150{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 354300x800000000000000047695Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.911{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50808- 354300x800000000000000047694Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.911{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52214- 354300x800000000000000047693Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.911{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64293- 354300x800000000000000047692Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.906{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50571-false200.152.173.200-443https 354300x800000000000000047691Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.881{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local52214- 354300x800000000000000047690Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.881{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50808- 354300x800000000000000047689Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.881{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64293- 354300x800000000000000047688Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.881{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51887- 354300x800000000000000047687Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.880{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59222- 354300x800000000000000047686Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:00.880{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60929- 23542300x800000000000000047685Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:02.869{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4A9D75AA9FAC6FC74C3851442DCCF5,SHA256=96A0FAFF00C5333E9C364BE25C1637B015B706A492B2450BE60AA524D4788387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025338Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:02.586{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B372C64FC9CF08AE1A3B51484AAECDBE,SHA256=A4992DE770F244DA9A85D8454F0CCD0EE53B75E5EA530CDA2F5645CB52C7A46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025337Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:02.399{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36411852AB3F6402A263910BCE452A7D,SHA256=3C64EE75184F5035F7274DA8AC7563E0D1650BA8CED9437EF90CC4422A87E820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047696Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:03.884{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DA5A6128E7D4F5BB0E38ACF83796E0,SHA256=2BC299D2441B1447718BCED5D4CA7A821DAFC7E3205BA4B5A97967B612071E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025339Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:03.399{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C446A489C683841BE1CD08014638BBA,SHA256=2C19B069378A810F5BFE4933463AA7F9B0BD586ADB9F86EA844205AE46788A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047707Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:04.894{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A1AA6EBE392D104BE1A299D6E9423D,SHA256=410D51672B6670E266D1DB7B5516854FD02FCC0659C33D3D45D5F74EE241A3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025340Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:04.415{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420DF6D86CD96D553816769F4BA5F3C2,SHA256=A8CC5EE09A0AE93D7A01B530913DFE9D4A312FE14803723A945F5842AD0D15D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047706Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:04.203{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x800000000000000047705Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:04.203{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x800000000000000047704Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:04.203{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 354300x800000000000000047703Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.927{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58079- 354300x800000000000000047702Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.927{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60658- 354300x800000000000000047701Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.927{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58078- 354300x800000000000000047700Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.897{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58079- 354300x800000000000000047699Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.896{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60658- 354300x800000000000000047698Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:01.896{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51190- 10341000x800000000000000047697Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:04.012{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x800000000000000047719Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.936{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x800000000000000047718Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.910{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047717Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.907{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D0FAB31A080BCD2DDC45389306AE6C,SHA256=9FC6F630D11E33C50158DA39F673F46C74C836F8E084BFE19C43DF8C6C6B0578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025344Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:05.420{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E04E2FE69F338F84291E7D45ED2603E,SHA256=D0318B1A41FF9E644B7AB7D3B92ED1AEFA7A8D5CC1606F0C8D5C6883EABB309E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047716Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.715{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x800000000000000047715Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.715{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 22542200x800000000000000047714Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:04.249{C8F4C507-618F-6140-6D08-00000000F001}3168www.google.com02a00:1450:4001:812::2004;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047713Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.491{C8F4C507-618F-6140-6D08-00000000F001}31684684C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047712Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:04.239{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64756- 10341000x800000000000000047711Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.049{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 354300x800000000000000047710Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:03.253{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50572-false10.0.1.12-8000- 354300x800000000000000047709Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:02.949{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51855- 354300x800000000000000047708Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:02.919{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51855- 10341000x800000000000000025343Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:05.029{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025342Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:05.029{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025341Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:05.029{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047726Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:06.912{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A901523AE864F747967BB9B67F3E80FD,SHA256=B79B22FBBE08CE0DA607600EFEC9D08091FDAF189DD20C0042072331A1949497,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025346Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:02.738{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50900-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025345Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:06.436{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39ED5BF641CC121758F737D831B2467A,SHA256=A198DE932E2A671C504F5CEF7B26D43A1A7BE3AD1E5E3C6C8A404F67B2369290,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047725Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.822{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60067- 22542200x800000000000000047724Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.623{C8F4C507-618F-6140-6D08-00000000F001}3168plus.l.google.com02a00:1450:4001:801::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000047723Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.382{C8F4C507-618F-6140-6D08-00000000F001}3168gstaticadssl.l.google.com0172.217.16.131;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000047722Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.373{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51500- 354300x800000000000000047721Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.373{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64032- 354300x800000000000000047720Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.371{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local63073- 23542300x800000000000000047733Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:07.920{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D775013C23D7F1FE7D6CE6FF9B2FBB15,SHA256=61DCC3CE46340FE810C48843C9757C091F994C23BFBB5087F2EB11BD8B5B1954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025347Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:07.451{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84ED829FF8102AD583A96E88B32072E1,SHA256=FD4251B76A688138576B6DBD29231D230A3781272E3B476B80A99559AD902CCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047732Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:06.097{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51349- 354300x800000000000000047731Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:06.045{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local60085-false142.250.185.98fra16s49-in-f2.1e100.net443https 354300x800000000000000047730Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:06.044{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local65394- 354300x800000000000000047729Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:06.043{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60084- 354300x800000000000000047728Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.905{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50574-false172.217.16.132zrh04s06-in-f132.1e100.net443https 354300x800000000000000047727Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:05.822{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50573-false142.250.185.234fra16s53-in-f10.1e100.net443https 23542300x800000000000000047735Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:08.924{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88309A1A8DAEFA9C309FA6A8C2A04F58,SHA256=74526EB1CD5506BC62B6E57F643E7C2C255B42D9C81FFB76CAC1A19343C49723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025348Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:08.467{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEE1E5C88B6ADAE37902E4770492572,SHA256=C1FDBF3CC6895AF2B46BA854290677832D25F0B582B0F24C57D3872D502B681F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047734Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:08.881{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 23542300x800000000000000047742Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:09.934{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB45085C57B090D500707EF4740975B8,SHA256=B5773392B270E6B0643EBE9AC615CCE3D05B218F5368176F5BFE1C88B8454522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025349Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:09.482{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B50888A6E98F7CF1DC70F2FE1E55B53,SHA256=1E3A3C68598D7AF855EBE912FA5FCB75FE4BABB234A3BB4A998B6E46C74BE64C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047741Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:09.456{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6193-6140-7208-00000000F001}4648C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047740Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:09.454{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x800000000000000047739Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:09.442{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-61C9-6140-9108-00000000F001}2256C:\Program Files\Google\Chrome\Application\chrome.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047738Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:09.442{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-61C9-6140-9108-00000000F001}2256C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047737Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:09.442{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-61C9-6140-9108-00000000F001}2256C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047736Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:09.442{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-61C9-6140-9108-00000000F001}2256C:\Program Files\Google\Chrome\Application\chrome.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047751Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:10.941{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B8384EF47C8B2603843B06FA0B2C51,SHA256=2351F6537647CA74E4107C132DD071CBFB9A8AE6CA0D37E60C84EB466F3E030A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025350Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:10.498{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D02B259789C53C44BBFD33C08F97873,SHA256=AB21FF4ED39CF1787D9ADDDF158753FA1FC4655AB7658CC79E6CA6F5A16CBDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047750Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:10.702{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-walMD5=0B99D6603DDA66B698AD93537D369C41,SHA256=E7B58F8112883CA66E99ABC26080BF97D7A23390BEE9DDA1A3EB66C2E2DB5E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047749Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:10.700{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-shmMD5=77D4F1E510C0436060AF4D5CCD0371CB,SHA256=A32B78B7ACB99D6600406FD1C33D68712E3D9721E99049FCB043D0F801C64E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047748Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:10.697{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=EBDE89AEB8DB35E14514246FFCFDE4B1,SHA256=07479FE386A9C6C81207F450364A3B96BA3FD3B4B6258BE994A14D592AB3426B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047747Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:10.683{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\default\https+++www.google.com\ls\usageMD5=845CC9661F5A98A3B4AFC3D45F020E84,SHA256=C9E8CE62FE8E3893732BDD9E52F89A620D3D4B10D2FFAF08B490B8C40CD6566E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047746Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:10.540{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF62ce6f.TMPMD5=E5921053BD60FA2DFD145D8C38161772,SHA256=3E9F07A725A7679BE12B5A64EC3B2449EE2336F463E6E8CFA25C911D2F6ABFB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047745Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:08.301{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50575-false10.0.1.12-8000- 23542300x800000000000000047744Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:10.257{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\doomed\31170MD5=6393570C284DCBE69523CCCF849DC6BE,SHA256=FFB70D57DC390EFD0C005BCC06F45B6BEECE3587E08B28608F1984DCD62B1CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047743Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:10.215{C8F4C507-61CB-6140-9408-00000000F001}4428ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF62cd36.TMPMD5=D95FCB8D2F53D1DDD560D3BE26A641C8,SHA256=88BAA46E71A4A62AE8A5A69081C0EE7C2845C1889D09056299D9B2FE1DBE5C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047769Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.949{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AEBEC2F9A1F6414012E5B258F54668,SHA256=ED2C5E4C2E64BF6D749D001AC8D3F04185A20740A0D7588EE481202015D19FB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025353Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:08.713{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50901-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025352Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:11.592{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025351Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:11.514{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50837E7FD053BCE7400A6083373CFC1D,SHA256=A13B497A36E930AC7EE9AB71A679F5D4F93673F3A1D1E6B53E5EC2B1229B439E,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000047768Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:51:11.468{C8F4C507-61C9-6140-9208-00000000F001}3664\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 18141800x800000000000000047767Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:51:11.468{C8F4C507-61C9-6140-9208-00000000F001}3664\crashpad_2256_QIVMBVIRDSVQPOOJC:\Program Files\Google\Chrome\Application\chrome.exe 10341000x800000000000000047766Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.405{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-61C9-6140-9108-00000000F001}2256C:\Program Files\Google\Chrome\Application\chrome.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000047765Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.400{C8F4C507-61C9-6140-9108-00000000F001}2256C:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt2021-09-14 08:51:11.400 23542300x800000000000000047764Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.376{C8F4C507-61CB-6140-9408-00000000F001}4428ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State~RF62d1ba.TMPMD5=1F9C585A3C283752BDA2A06C7413675D,SHA256=0ECEDC9214796C4ABEF56D66C73D304FE1957254D8B3C95A3B3C8A2844DB6B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047763Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.349{C8F4C507-61CB-6140-9408-00000000F001}4428ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Network Persistent State~RF62d19b.TMPMD5=2800881C775077E1C4B6E06BF4676DE4,SHA256=226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047762Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.340{C8F4C507-61CB-6140-9408-00000000F001}4428ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Persistent State~RF62d19b.TMPMD5=2800881C775077E1C4B6E06BF4676DE4,SHA256=226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047761Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.340{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF62d18b.TMPMD5=4036C361745BDD77C9F335D6425241E4,SHA256=23361D7B541CBD456ADC444E68DD0C52189A9EF41BC7C68EB322D619075FB4A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047760Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.313{C8F4C507-61C9-6140-9108-00000000F001}22563920C:\Program Files\Google\Chrome\Application\chrome.exe{C8F4C507-61CB-6140-9408-00000000F001}4428C:\Program Files\Google\Chrome\Application\chrome.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+973e8a|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+127e839|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+1266138|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+fe3fe5|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+b394ba|C:\Program Files\Google\Chrome\Application\93.0.4577.82\chrome.dll+8c8edc|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047759Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.312{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF62d17c.TMPMD5=111CEEC3F50AF0FF550D60E6FEEACA89,SHA256=55FDAFF3A85C096C729764F57091448F81034EDE5A2F2AD33FCFFEE02902FF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047758Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.280{C8F4C507-61C9-6140-9108-00000000F001}2256ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State~RF62d15d.TMPMD5=B577C0B3FDA8277F16C49F65856983AD,SHA256=11E419F4E20BB70100C372D57CEAFC3B029CD5991B1B0F0B3F1EECB1674B2737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047757Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.227{C8F4C507-6258-6140-DE08-00000000F001}7016ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Temp\2\1e32e40e-4275-49cb-813b-5aec00d4538b.tmpMD5=7FA387410D462D4EAFC82E23EF48ADFC,SHA256=8E11434C286BADC3E2A5F6A1C544B33B891EB27779E5EA60036B8AE484A03855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047756Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.226{C8F4C507-5C87-6140-B607-00000000F001}33727076C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047755Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.212{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047754Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.212{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047753Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.193{C8F4C507-6259-6140-E108-00000000F001}2316ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Temp\2\4367da18-fdd9-4003-b764-7e37ece42868.tmpMD5=A37ADF0D58F9275FAD8C0C5A8A4DF4B8,SHA256=690665791645B63D32BFA7125A4A600D5CC5DBA445FE92923E86A6C8A0FC3DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047752Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:11.187{C8F4C507-626D-6140-EE08-00000000F001}524ATTACKRANGE\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Temp\2\aa6cdfca-7aa3-4471-802b-123315065289.tmpMD5=DE0FBB39D301965FC72DFF526E200205,SHA256=E517610C5268C1D0A0940F9AD7933993D4317C4B24D76D070BD1CBA20D949198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047770Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:12.955{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B02D9B374DF5ABCD841F85A9D586304,SHA256=9A085F2E60C57B5AC16E28278BBF132FCA0B95E23F5BDEE44914A57597171E5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025355Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:10.135{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50902-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000025354Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:12.529{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587BF60E875D813FE7A6A89DD9AC244F,SHA256=A7E547F15EF563E4002CE93D54024F04AF02C2A36407834C088292332A234158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047771Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:13.961{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855038BD31C18B37A251423E0D8496B2,SHA256=74DA265496CEDF67BF7A2094CACD85BE924140EBD1FCB2DF18D78D87E35BFF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025356Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:13.545{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7006800E882393B5821E7C865B915585,SHA256=72FF52F227AB88618076E5C40CAC38A6D2684E8EF88F7F124780678919C7489C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047777Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.973{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1534020AB38FB0D22C695AFB99863F6,SHA256=0BB07E87622BAA784863496F4AD6689DC2DDEE856EB2BC4FA6855EDA114E2C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025357Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:14.545{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AE04B63E4C331C56ED1A78D63CE5FB,SHA256=D597EF2E00E27BAC98B77B689D1AC08E43485F8369EC7A6647CCBC306A041E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047776Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.030{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x800000000000000047775Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.018{C8F4C507-5C87-6140-B607-00000000F001}33727076C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047774Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.018{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6193-6140-7208-00000000F001}4648C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(00000332BB5B1E84) 10341000x800000000000000047773Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.014{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047772Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.014{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047790Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.980{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A4A01835347CA524879D78ADE33AE2,SHA256=CA7D3F8984773E0BF5A5EFACC51FBFA283E641ED0DCFF4BAB94E6B8A92D669C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025358Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:15.561{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2ECD1063466E756AE4F08726CF1160F,SHA256=72F0C1B5D36E44F34EEE212F0A43DFC88D8052CEC36DF5A150583AACB5BD36FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047789Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.833{C8F4C507-5C87-6140-B607-00000000F001}33724264C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8033A46E8A8)|UNKNOWN(FFFFB464B6EA5B68)|UNKNOWN(FFFFB464B6EA5CE7)|UNKNOWN(FFFFB464B6EA0371)|UNKNOWN(FFFFB464B6EA1D3A)|UNKNOWN(FFFFB464B6E9FFF6)|UNKNOWN(FFFFF8033A186103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000047788Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.833{C8F4C507-5C87-6140-B607-00000000F001}33724264C:\Windows\Explorer.EXE{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8033A46E8A8)|UNKNOWN(FFFFB464B6EA5B68)|UNKNOWN(FFFFB464B6EA5CE7)|UNKNOWN(FFFFB464B6EA0371)|UNKNOWN(FFFFB464B6EA1D3A)|UNKNOWN(FFFFB464B6E9FFF6)|UNKNOWN(FFFFF8033A186103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047787Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.832{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF62e31f.TMPMD5=93F52D4BA518C1153E331BF7220D7719,SHA256=EEC607AF2C5FBE62951131EDD7198230D1A4072CDD776F82CA2FE27A3B8F9EF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047786Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.823{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 354300x800000000000000047785Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.884{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local51861-false142.250.185.206fra16s52-in-f14.1e100.net443https 354300x800000000000000047784Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.817{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50577-false142.250.185.206fra16s52-in-f14.1e100.net443https 354300x800000000000000047783Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.816{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51860- 354300x800000000000000047782Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.815{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local52870- 354300x800000000000000047781Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.813{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local65452- 10341000x800000000000000047780Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.616{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+fdc990|C:\Program Files\Mozilla Firefox\xul.dll+fcd08b|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd4837|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972 10341000x800000000000000047779Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.552{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6191-6140-6E08-00000000F001}6744C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 354300x800000000000000047778Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.301{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50576-false10.0.1.12-8000- 354300x800000000000000025360Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:13.744{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025359Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:16.576{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C1B4E54EBB2C21F2DD8CDD462C283D,SHA256=B6100DA9BEF5832C25CB7602CEF2AFB56BAC7BED9FB7310672125DECE55A0F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047827Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.973{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000047826Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:51:16.971{C8F4C507-618F-6140-6D08-00000000F001}3168\chrome.3168.16.59923882C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000047825Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.971{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000047824Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:51:16.971{C8F4C507-618F-6140-6D08-00000000F001}3168\chrome.3168.15.99039531C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047823Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.952{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-619A-6140-7308-00000000F001}6836C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(00000332BB5B1E84) 10341000x800000000000000047822Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.952{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6192-6140-7008-00000000F001}5952C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(00000332BB5B1E84) 11241100x800000000000000047821Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.952{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\SiteSecurityServiceState.txt2021-09-14 08:51:16.952 11241100x800000000000000047820Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.952{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\AlternateServices.txt2021-09-14 08:51:16.952 10341000x800000000000000047819Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.925{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000047818Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:51:16.925{C8F4C507-618F-6140-6D08-00000000F001}3168\chrome.3168.14.167258447C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000047817Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:51:16.924{C8F4C507-618F-6140-6D08-00000000F001}3168\chrome.3168.13.10005528C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000047816Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:51:16.920{C8F4C507-618F-6140-6D08-00000000F001}3168\chrome.3168.12.42659435C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047815Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.902{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-619A-6140-7308-00000000F001}6836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(00000332BB5B1E84) 10341000x800000000000000047814Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.901{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6192-6140-7008-00000000F001}5952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(00000332BB5B1E84) 10341000x800000000000000047813Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.900{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-619A-6140-7308-00000000F001}6836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(00000332BB5B1E84) 10341000x800000000000000047812Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.900{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6192-6140-7008-00000000F001}5952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(00000332BB5B1E84) 10341000x800000000000000047811Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.899{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-619A-6140-7308-00000000F001}6836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(00000332BB5B1E84) 10341000x800000000000000047810Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.899{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6192-6140-7008-00000000F001}5952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(00000332BB5B1E84) 23542300x800000000000000047809Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.891{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionstore-backups\recovery.jsonlz4MD5=DA345C6A8E3AD6CE530CD8D88C9582FE,SHA256=C441F0CC43D101E96323948E52C83115AC7A8BF5F4AA17455AF10F8D9BB86158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047808Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.890{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionstore-backups\recovery.baklz4MD5=382FC376EF279AADC8A4C210712E7CD9,SHA256=8B77876E5BD5D5BD8F6279FC02E63E9A06CA628F481E650FD8CFC080F93FC649,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047807Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.888{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6193-6140-7208-00000000F001}4648C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047806Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.882{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6192-6140-7008-00000000F001}5952C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000047805Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.225{C8F4C507-618F-6140-6D08-00000000F001}3168play.google.com02a00:1450:4001:830::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000047804Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.224{C8F4C507-618F-6140-6D08-00000000F001}3168play.google.com0142.250.186.46;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000047803Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.223{C8F4C507-618F-6140-6D08-00000000F001}3168play.google.com0::ffff:142.250.186.46;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000047802Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.826{C8F4C507-618F-6140-6D08-00000000F001}3168www3.l.google.com02a00:1450:4001:810::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000047801Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.824{C8F4C507-618F-6140-6D08-00000000F001}3168www3.l.google.com0142.250.185.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000047800Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.823{C8F4C507-618F-6140-6D08-00000000F001}3168ogs.google.com0type: 5 www3.l.google.com;::ffff:142.250.185.206;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000047799Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.216{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50579-false142.250.186.46fra24s04-in-f14.1e100.net443https 354300x800000000000000047798Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.216{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local65090- 354300x800000000000000047797Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.215{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64520- 354300x800000000000000047796Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.213{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61768- 354300x800000000000000047795Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.959{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50578-false142.250.181.227fra16s56-in-f3.1e100.net443https 354300x800000000000000047794Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.956{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local59834-false172.217.16.131zrh04s06-in-f131.1e100.net443https 354300x800000000000000047793Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.956{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local65058- 354300x800000000000000047792Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.955{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62532- 354300x800000000000000047791Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:14.953{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61567- 23542300x800000000000000025361Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:17.592{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF63771874A99284FB4256ABB7678BF,SHA256=295F5A8154A792E0318899B876BC01B5EFD2A25A25F024F39D6BB175101E17F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047860Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.918{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-104MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047859Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.321{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047858Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:15.269{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local58069-false142.250.186.46fra24s04-in-f14.1e100.net443https 10341000x800000000000000047857Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.305{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6285-6140-F208-00000000F001}5272C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047856Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.305{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6285-6140-F208-00000000F001}5272C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047855Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.220{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047854Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.220{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047853Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.220{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047852Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.220{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047851Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.220{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047850Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.220{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093E7C2E574354A08B886F0A266E9591,SHA256=8D84F020C6AC840007916D50363325685512FA573BF63AB9F168CC15C683757B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047849Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.204{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=51C5F9DD83F57ED6D1B8B46080C1DA2D,SHA256=B123F14BEAF36C03C90970B77A64F2AD8A1006D95C9669ACCE8CDFF0E0B9E083,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047848Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.188{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-6285-6140-F308-00000000F001}5600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047847Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.188{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6285-6140-F308-00000000F001}5600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047846Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.188{C8F4C507-6285-6140-F308-00000000F001}56005060C:\Windows\system32\conhost.exe{C8F4C507-6285-6140-F208-00000000F001}5272C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047845Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.173{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-6285-6140-F308-00000000F001}5600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047844Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.171{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6285-6140-F208-00000000F001}5272C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047843Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.171{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047842Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.171{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047841Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.171{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047840Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.171{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047839Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.170{C8F4C507-618F-6140-6D08-00000000F001}31684016C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6285-6140-F208-00000000F001}5272C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2011fdf|C:\Program Files\Mozilla Firefox\xul.dll+2011df5|C:\Program Files\Mozilla Firefox\xul.dll+2011e41|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+14a9f5|C:\Program Files\Mozilla Firefox\xul.dll+14c453e|UNKNOWN(00000332BB5B4A10) 154100x800000000000000047838Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.169{C8F4C507-6285-6140-F208-00000000F001}5272C:\Program Files\Mozilla Firefox\pingsender.exe92.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/60010e95-fc00-4344-aae8-0678c14a9f03/new-profile/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\60010e95-fc00-4344-aae8-0678c14a9f03 https://incoming.telemetry.mozilla.org/submit/telemetry/8aefe9fe-ebac-46b4-a770-c90867895940/event/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\8aefe9fe-ebac-46b4-a770-c90867895940 https://incoming.telemetry.mozilla.org/submit/telemetry/eddd2864-83e8-4d40-8505-619acebae11c/first-shutdown/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\eddd2864-83e8-4d40-8505-619acebae11cC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2MediumMD5=8A5233CE7A88489D05FEF9BB7AE52572,SHA256=0888DF51AA62CAF8E02C97564FF4BDCEDCF8CC0B6091753F7D9D4389689BA825,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{C8F4C507-618F-6140-6D08-00000000F001}3168C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x800000000000000047837Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.167{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\aborted-session-pingMD5=746115D33F9AD6289AA16B9E2478E6F4,SHA256=5E928CEFF2219BA9B88649ED060C02DE43D73E5B96A5B2D513AAF09E65B6DE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047836Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.088{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\session-state.jsonMD5=9F76F5F86C7FB6A197A27859C3FA2F09,SHA256=C4BB3E282D00251F20727D8815EC7D90CB33451BE877B325CF3B283C27516EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047835Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.073{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage.sqlite-journalMD5=CF115984C5B10D99361E214873B2BC9C,SHA256=2F4D2C81C5B486F265EB8523916CDA109F0C20F7F489158DF127441BBF10D062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047834Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.069{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\xulstore.jsonMD5=2A3CC2404FD9A14E62E290A4D760AD16,SHA256=6B7B2F2D838041111013F7ABE686644F4259441D23BD63C4BB04FBAF6F1B7A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047833Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.051{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\cookies.sqlite-walMD5=EDE14D030CDCB01309C5CABEA5FA6070,SHA256=DC74291D5C5018B1412831388CEAF5FA5CF8268EFD7FB1430756F1136CBA490C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047832Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.051{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\cookies.sqlite-shmMD5=6C65E9424C6C3C27C0D9D46058C21E9B,SHA256=E1BB548959060E3C07E307E0CF47E41A3524848B651693457BADC4953C6B1377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047831Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.051{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\favicons.sqlite-walMD5=49C1BE465A3AC6CA7E17EF05E626E751,SHA256=9C37CA16EAD1E006CE74435FDC5B6743C391F90DB4727229A0BCE374F71A4E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047830Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.020{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\favicons.sqlite-shmMD5=BAA97F6A1F820AC2AB024D5D5FBE8E3A,SHA256=3AA93C248203F1711AB70E4DAE8DB50C58B5FCF069AF52AD6533FD37D493EBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047829Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.020{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\places.sqlite-walMD5=D631F7CBBD4C232DF49F18EEF50FD95F,SHA256=FA37D50402B54B4E029978E20F4B54F14AF25F98461A03EFBB6B1C617BFA05E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047828Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.989{C8F4C507-618F-6140-6D08-00000000F001}3168ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\places.sqlite-shmMD5=6481C261FA7EEC784213D7F86EBB7061,SHA256=96528CA2F4A080E8C33F9D8B7A84EB190FD5C2C8259E715DA2B7CFA36AFCD155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025362Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:18.608{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC245EFE28EC2281BBB4C2058A444A9B,SHA256=2754DAA766A4294DBC6DA9E1D126AED85D94CBFACBDD531AEB781335EDA58833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047868Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:18.931{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047867Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:18.586{C8F4C507-6285-6140-F208-00000000F001}5272ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\eddd2864-83e8-4d40-8505-619acebae11cMD5=E4FD90E016CB117674ADF8A29747F762,SHA256=E70B5354C55087E43077B63E38162125BDFBE6CCC364C9001401B8B6BCE1598E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047866Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:18.367{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=775740E5940654D07C6EE56130BC2CC3,SHA256=0927E1D1595A69FBAC359F6205044F55BEB4AD7DC8FD819E9CD10688B686FF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047865Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:18.367{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9F4ED2AFF49D5111700AACCA0D4A916,SHA256=5EDC0E50A5516AECEE3E85CED19851546B8C8FF5853B23519328C45CD3B465C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047864Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:16.226{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50087- 23542300x800000000000000047863Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:18.321{C8F4C507-6285-6140-F208-00000000F001}5272ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\8aefe9fe-ebac-46b4-a770-c90867895940MD5=66669B78D48EEEFA3F6C23749A9BFDD4,SHA256=F474CD24DFB38FD159AEE6911DC3E2E3B123C0DADCE0CC7683605993D9B88AA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047862Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:18.180{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D9B9832C9A429B47E27941C33AF82B,SHA256=68D90EBD5CC912D749E26E9B049320D4642D4F20099BF8A2B7E4A778953FAC0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047861Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:18.071{C8F4C507-6285-6140-F208-00000000F001}5272ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\60010e95-fc00-4344-aae8-0678c14a9f03MD5=0CC1AD96D2D2FED22B970EEEE8320022,SHA256=9EEB5D20433D14C88F80EAEC833DB017433D1092DACA5B1EDCE6C6E1A8309F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025363Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:19.623{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916F3C8FA31D02BD3C843D126848F006,SHA256=7848F3D3A195BD87D23C49763E9CD282F8F3B0B4E6AC653E21373365E7BAD31C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047871Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.626{C8F4C507-6285-6140-F208-00000000F001}5272C:\Program Files\Mozilla Firefox\pingsender.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50580-false35.164.22.70ec2-35-164-22-70.us-west-2.compute.amazonaws.com443https 354300x800000000000000047870Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:17.469{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61458- 23542300x800000000000000047869Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:19.210{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71295A971A9970FC5495ABD4A1D52C8,SHA256=105725267352F9E88F41D6C0721A6CE6212AF68ED6379939D4C855AD41BDC674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025364Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:20.639{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CA09577A12FE503C56E9E475DCBB73,SHA256=F17B298999ABAF7A6AD6587F1303A7DF7BA43E352636AA39D265FFF48701057F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047878Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:20.588{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-6288-6140-F408-00000000F001}5640C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047877Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:20.588{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6288-6140-F408-00000000F001}5640C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047876Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:20.588{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-6288-6140-F408-00000000F001}5640C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047875Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:20.557{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6288-6140-F408-00000000F001}5640C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047874Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:20.557{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6288-6140-F408-00000000F001}5640C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047873Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:20.541{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-6288-6140-F408-00000000F001}5640C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047872Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:20.232{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B9A03BF8D4AC4411F569178BF6F566,SHA256=8CB1F71108C1B1B2D1BE3D5B59628A66BAD175A58F70B09F12134FE2E6396C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025365Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:21.655{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6475D9625A2AFA94A2131F6246CA6C30,SHA256=40F9042DAE8BECD6EBCE71A237949CFF4ED3EFE810661B798E0D2E86807B60AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047882Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:21.572{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=775740E5940654D07C6EE56130BC2CC3,SHA256=0927E1D1595A69FBAC359F6205044F55BEB4AD7DC8FD819E9CD10688B686FF50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047881Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:19.360{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50581-false10.0.1.12-8000- 23542300x800000000000000047880Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:21.291{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AE1E5726BD9143B752E9253F37F384,SHA256=51796296067D60F8CC2ABB1DEC6176B2EF93BFD495FE8B897513AF948EF867AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047879Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:21.150{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A00C692B97395B895BE961889F7BA412,SHA256=BD9A5AE5E20A7C3F217F47810C320C39179D041B50D0416D17C55B4F4F2680B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025393Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-628A-6140-5A06-00000000F101}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025392Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025391Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025390Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025389Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025388Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025387Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025386Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025385Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025384Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025383Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-628A-6140-5A06-00000000F101}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025382Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-628A-6140-5A06-00000000F101}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025381Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.889{4A7D70D7-628A-6140-5A06-00000000F101}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025380Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.670{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB3E4EBC9C7453B72A77CBBACB97B56,SHA256=00C6F10514F27353FCD8D09147F9B6745EA2717BA158ADC6D8BA9C0C4A93E719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047885Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:22.307{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0823C41A76219AED0C4F18B97D91782,SHA256=5C98AAC5359FEF15849DC0B57EA12F749BF0C5C5E0C9FE0BEE0770F03731EE7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025379Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.404{4A7D70D7-628A-6140-5906-00000000F101}34363064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025378Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-628A-6140-5906-00000000F101}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025377Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025376Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025375Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025374Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025373Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025372Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025371Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025370Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025369Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025368Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-628A-6140-5906-00000000F101}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025367Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.217{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-628A-6140-5906-00000000F101}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025366Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:22.218{4A7D70D7-628A-6140-5906-00000000F101}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047884Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:22.119{C8F4C507-5C87-6140-B607-00000000F001}3372ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{0BDE7B0F-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047883Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:22.041{C8F4C507-5C87-6140-B607-00000000F001}3372ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025410Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.842{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B4EC50035A9F2F425F915B6931CD21,SHA256=9EDAAB99B46FE3098EA5217AB2F4F57FBD5E02C6C42BD89A9226BEC3B5EA2647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047886Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:23.322{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB565F476A9E4B8B0E8F5044FEC7EFB,SHA256=CEB3CBACB89A298797DC01241FD8FED2BBB8B8962C50CD4B031B670C0EB738E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025409Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-628B-6140-5B06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025408Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025407Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025406Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025405Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025404Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025403Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025402Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025401Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025400Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025399Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-628B-6140-5B06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025398Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.545{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-628B-6140-5B06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025397Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.546{4A7D70D7-628B-6140-5B06-00000000F101}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025396Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.451{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A599F4D11C5F2E773ECCA34BEEB1773,SHA256=7B0B25B5485AA7262A0972759DD8F840087F22FB02774CDAAF4B0CC0935617BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025395Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:23.451{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B831C737A3049C8A2D46BB37A003890F,SHA256=5989EE30931D3102D94197BE90A1F7874795CD9D6CFC29375E66DE96947F4C58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025394Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:19.681{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025412Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:24.872{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE37F81F22C42C6F3F25872B4923A5E6,SHA256=13DBC3E9920273FCC8867B107B5234629CF4AD7059CFEEB39DD67259781483DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047887Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:24.322{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1051D1FD07C70D567CFE0AE941A97A79,SHA256=301368D92E94D5926F495236F2F8077B90EF94EFBA559ED9C40B5AFF7C8B29C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025411Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:24.561{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A599F4D11C5F2E773ECCA34BEEB1773,SHA256=7B0B25B5485AA7262A0972759DD8F840087F22FB02774CDAAF4B0CC0935617BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025427Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.888{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5152FA06FD8B0E1B447B3AE30E7F41BE,SHA256=AEB036A733C9D9596ACAD49C15668A64BB23D5D1E2CF8DE9C51D641D45926E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047888Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:25.335{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFD99197A0BDAA890D0C96FCD7BF975,SHA256=BA9355DBD071101BAF5D09B4AA4B83ECE5F47B643CE933A56A9B973DDD16EAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025426Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.685{4A7D70D7-628D-6140-5C06-00000000F101}38842076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025425Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-628D-6140-5C06-00000000F101}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025424Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025423Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025422Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025421Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025420Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025419Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025418Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025417Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025416Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025415Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-628D-6140-5C06-00000000F101}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025414Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.497{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-628D-6140-5C06-00000000F101}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025413Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:25.498{4A7D70D7-628D-6140-5C06-00000000F101}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025456Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.935{4A7D70D7-628E-6140-5E06-00000000F101}31363220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000047897Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:51:26.975{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXEHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047896Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:51:26.928{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXEHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047895Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:51:26.913{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXEHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047894Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:51:26.882{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXEHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047893Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:51:26.850{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXEHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047892Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:51:26.788{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXEHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047891Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:51:26.772{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXEHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 354300x800000000000000047890Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:25.374{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50582-false10.0.1.12-8000- 23542300x800000000000000047889Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:26.350{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E55BCDFF5AB8D43174681C6A67C64C2,SHA256=9E80F76F0FB52ADA896D6C3F04FAFA1BD05DFE0FA02E928EB311E2BE6DD55749,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025455Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-628E-6140-5E06-00000000F101}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025454Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025453Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025452Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025451Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025450Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025449Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025448Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025447Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025446Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025445Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-628E-6140-5E06-00000000F101}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025444Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.747{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-628E-6140-5E06-00000000F101}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025443Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.748{4A7D70D7-628E-6140-5E06-00000000F101}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025442Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.513{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BDFA0F7F53176DFDB668BF4948C75E6,SHA256=00E1F56D560CE215CD44D1DBA24799201BD5650775734C598DFFA5E20C4299F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025441Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.294{4A7D70D7-628E-6140-5D06-00000000F101}916840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025440Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-628E-6140-5D06-00000000F101}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025439Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025438Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025437Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025436Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025435Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025434Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025433Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025432Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025431Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025430Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-628E-6140-5D06-00000000F101}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025429Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.122{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-628E-6140-5D06-00000000F101}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025428Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:26.123{4A7D70D7-628E-6140-5D06-00000000F101}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047905Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:27.897{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047904Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:27.897{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047903Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:27.897{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047902Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:27.897{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047901Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:27.897{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047900Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:27.897{C8F4C507-5C87-6140-B607-00000000F001}33724744C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000047899Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:27.850{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe8.14Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=8D93FF22077355875C7BC59CEBE98B4F,SHA256=A345288CDF2B0A43B64E0C3264FC2839A76C98835CAC1A1920D68E21DD444EB3,IMPHASH=D3A8B6DC8BC0179C654D96C4AD61A9D1{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000047898Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:27.350{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277B4027E9FD3BECF1C800F5BDE171AE,SHA256=B93C67EB797D153DE8D3B12AE261D6F2AFACE29E75C6EEBA9225649A3B6735B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025471Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.794{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=697812627D0E47C729DEEE89A2593A79,SHA256=6246B8C07370A92F74CAC2145BA51E652A4C5AA15C7439E3C800005388BCFFA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025470Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-628F-6140-5F06-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025469Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025468Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025467Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025466Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025465Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025464Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025463Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025462Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025461Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025460Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-628F-6140-5F06-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025459Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-628F-6140-5F06-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025458Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.685{4A7D70D7-628F-6140-5F06-00000000F101}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025457Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:27.044{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFACA5C4B26F82616323E194876F4E5,SHA256=1770C02223E53018FA3C82E382E94C0770466FD9A337A6566F624359ECF9AF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047937Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.928{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E45C5EA729758AB60CBC6E246489F4C,SHA256=9011D127BA72819FB39E08EE09AF719E93B3EBFAF63D242D6E8060DF910B244F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047936Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.928{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3741CA5BD48CBCCF834156C848180B11,SHA256=42A1BB4EE0447BA0E710F2FD6EB52DD34D0B639C494D84F5935B6ED67E132D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047935Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.710{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12AFC5F80E04777FD33D07A83278783,SHA256=18E81A3D0C24831E638EEA80917ABD4E6F617D4726121DA54A3B4087CC4AF224,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047934Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:26.960{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50583-false93.184.220.29-80http 10341000x800000000000000047933Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.444{C8F4C507-5C87-6140-B607-00000000F001}33727076C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047932Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.444{C8F4C507-5C87-6140-B607-00000000F001}33727076C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047931Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.444{C8F4C507-5C87-6140-B607-00000000F001}33727076C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047930Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.444{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047929Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.444{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047928Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.444{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047927Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.444{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000025473Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:24.696{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025472Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:28.153{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD445036C4E01F5A1D826580F1AA4F,SHA256=74726CC674ECB19D088FAA891CE108245D53FF2D3EB6E1612376C79F387816E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047926Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.178{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047925Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.178{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047924Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.178{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047923Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.178{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047922Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.178{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047921Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.178{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047920Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.163{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6290-6140-F608-00000000F001}6824C:\Program Files\Notepad++\updater\gup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047919Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.163{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6290-6140-F608-00000000F001}6824C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047918Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.100{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047917Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.085{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-6290-6140-F608-00000000F001}6824C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047916Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.085{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047915Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.085{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047914Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.085{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047913Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.085{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047912Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.085{C8F4C507-628F-6140-F508-00000000F001}62041584C:\Program Files\Notepad++\notepad++.exe{C8F4C507-6290-6140-F608-00000000F001}6824C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+3c91c|C:\Windows\System32\SHELL32.dll+e2087|C:\Windows\System32\SHELL32.dll+e1fe5|C:\Windows\System32\SHELL32.dll+13b1bb|C:\Program Files\Notepad++\notepad++.exe+244829|C:\Program Files\Notepad++\notepad++.exe+295213|C:\Program Files\Notepad++\notepad++.exe+2c6e46|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047911Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.073{C8F4C507-6290-6140-F608-00000000F001}6824C:\Program Files\Notepad++\updater\GUP.exe5.2WinGup for Notepad++WinGup for Notepad++Don HO don.h@free.frgup.exe"C:\Program Files\Notepad++\updater\gup.exe" -v8.14 -px64C:\Program Files\Notepad++\updater\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=FBFCC4E41844B23CFECA4FFE2F02C4B0,SHA256=84BE3CF3E23C7909E712F196329246581D6D01D423D3C4D647CB27C0056D5E1F,IMPHASH=FC933F2041320B70EF128DD4E38ECA3F{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml" 10341000x800000000000000047910Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.069{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047909Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.069{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047908Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.053{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047907Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.038{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047906Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.038{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047940Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.282{C8F4C507-6290-6140-F608-00000000F001}6824C:\Program Files\Notepad++\updater\GUP.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50584-false172.67.136.69-443https 354300x800000000000000047939Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.246{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50249- 23542300x800000000000000047938Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:29.444{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3D896CEDC0FF54B0BF25485F3AA214,SHA256=735A791FA50607B1FCC34B56BC2A2CF6EA327B70CDCC41B3EA9CBD262C94DD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025475Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:29.186{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055DF4A850891554F4C469CAC1A46FA8,SHA256=22F5E18F411B252563D2AE8D42A173D532BCC9DA74693378A57B7745EBBB9292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025474Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:29.016{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-094MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047942Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:30.460{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC4F2C05390EF852AEC23BEB9571E2E,SHA256=11621DD157DF8BB4F82BF0E53B9EDDF6029E7A3C2F83ADB271362C80CCAC6FBB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000025478Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:51:30.592{4A7D70D7-4BB8-6140-1100-00000000F101}984C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a945-0xb63bcb39) 23542300x800000000000000025477Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:30.199{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EA6A58D93E55A62C9D090AB51F1937,SHA256=19CBB4AB6C23E60A0B0AAA59938EF5BC18CDA12DCD47D29A75E16E5BFD7FBEFE,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000047941Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:28.259{C8F4C507-6290-6140-F608-00000000F001}6824notepad-plus-plus.org0::ffff:172.67.136.69;::ffff:104.21.26.128;C:\Program Files\Notepad++\updater\GUP.exe 23542300x800000000000000025476Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:30.031{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-095MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025479Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:31.217{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3572BB7F5E9D8DE599384CC9D3950B62,SHA256=A10A7F71231868A58B6D6EDDC5388E9E3B0B5C283D172E25258312B3F80A4188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047943Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:31.491{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD32BAFC5C83E4BD4DF0682B096B6EDB,SHA256=DDE9D0020A086C9E0B43B477653DA1B4530CDA73A73DB564D675756643506C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025480Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:32.264{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE25A10FBE0C28C564BBCF55DF7053B8,SHA256=FBEBBDFA239677EF578760A102267B76DAC51B117FD3709D181BAD3184E340A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047944Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:32.522{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CC0559F7130F9970E3A427D2ACAA1F,SHA256=287A06F4B5F60B8544B33A07C273CE87341E95ABCBDFC54ABD036027EA54C981,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025482Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:30.697{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025481Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:33.467{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB2BFA692D13B3AD4D1E934B8BF9EBB,SHA256=2CC9F820A969CE44D3BA4533F89447C68F82CD4F5824D62ADB91143278F164AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047946Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:31.375{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50585-false10.0.1.12-8000- 23542300x800000000000000047945Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:33.538{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339749AB88D373C66B718FB004E2DD66,SHA256=9C78DBAA96E382F2A767647182A42A09CE54E81ABAB52262C9A08F3FCC0F7362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025483Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:34.701{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5AE3C954CED52E432B122D7F56DF04,SHA256=9AF3E04B89AC4D7A2EC137FD6F85FBAE1577AF8D8B1D503523696A21D55C732C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047947Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:34.569{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8495F867A740D807833418F4CC307AAB,SHA256=01F144E808ADEFD3D4E764AAAA6A23915CD9C36690BFFAFD9B1BA79B4C637D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025484Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:35.811{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B980D731ECE29440577120F07602147,SHA256=4E6403569FD9A4481C8DC6E87295E9B6513E3D6B47B6EC8C85D1924850092B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047948Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:35.600{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7BD8668352886BDA5D6AEE58D2873C,SHA256=8C07B91ABC1AC99D2CB9A966CF3425EFF8983A79ABCF60AC5605BBABABA58F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025485Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:36.858{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BF1F7E2BD15866965CE3124AB7059A,SHA256=26916604DE711FA15086B2EC954CAAB4E036F5154C7283686DF919124A9E0DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047950Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:36.991{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047949Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:36.616{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE46D491C4C721F01D8D49090270C9AD,SHA256=C38453FEBEB152A5774163B1B0E48FFA296394AA1AD97E64318D1089DDF1E320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025486Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:37.873{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AFA3611BFF4514C993C3C285444E3D,SHA256=2E4F3FA18BCA60B5C9A71E4969B8FFECF825F94088F86DA92B1A2149A2A35B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047951Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:37.616{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B462F3348DE1B3BA7160C627E468A3C2,SHA256=7D42A101F7E686AF53DE16406F3F2C9ABC7F42934660AA54530ED3B3F64B40B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025487Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:38.873{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C86F3D7DC78CBCB545A12D25F5A2D4C,SHA256=10B5A5A5359741BB9038F0C6675223FDF0A608D52893243525A957DDD9B801B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047954Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:37.249{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50587-false10.0.1.12-8000- 354300x800000000000000047953Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:37.093{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50586-false10.0.1.12-8089- 23542300x800000000000000047952Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:38.632{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3EAC9BB606FF44C6F3DB57CEAA8BAA,SHA256=24BB07A7538B990FD999218AC7983D4D999BFD422202B6CDBA8E4FCF85EEB3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025488Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:39.889{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79DF8C633AB64B8F703092628332A7C,SHA256=DF1F85B1C5C45100B65068A4B29D0B548E491052A72B5A2BE4B92A793E8847C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047955Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:39.632{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB4719EBB0367F3B89E003E8CCCD699,SHA256=2573589E3C4DAC1B657E75F8E3EC936B05B75EF44DF3115A2A8A8F617166D02D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025490Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:36.618{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025489Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:40.889{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF95DC38FE25723A4A1ED7074B9BFC05,SHA256=773877A6BEEB355192E4F21C643552990EAF8BB8E703429B716779EC050CDFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047956Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:40.632{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3DEC9B6B7527E976EEFD56C2D2FDDF,SHA256=775E0DB6FDA03ACB0338986FA3C9789797501992AB012E753109F5F18B78874F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025491Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:41.904{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D986E0DA4A0736B3F059BB128C3345A8,SHA256=B8094F68414906207E788DCFC757707CDEB8BA37B02F7368EF4D3195425977BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047957Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:41.663{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C05FC65B4597CE944B7A08544988CA2,SHA256=402D3E6A0B708EE68704F489DA17BBD1F8A5E18A96EAD5E2C616B018CA41FB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025492Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:42.920{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF3EE57B6DD5FB87564DE3F187150FC,SHA256=ACC5625A2C7695C41F90F45C29ECF33FD3181D03C8FF87F12CA3424CA6C8A797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047958Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:42.663{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C571C877552505D3A909478A0B506E23,SHA256=0C70BBD2FD3571FF3BDF18D6DB35885F6118280696D87275E942D27CD58D39DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025493Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:43.936{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A453D991CFDF36E69254AE657BE80D,SHA256=4388DEE9FEB333E8707E33A95A05FC3E7F9792E25730201F2A07D215C6A54106,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047960Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:42.250{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50588-false10.0.1.12-8000- 23542300x800000000000000047959Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:43.694{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C602B4AB49F1097CC2A67A46F770799C,SHA256=D673342F5E0F78D333A6999E9B61EAB0664974C7A14C5E490E2ADD6399559AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025494Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:44.937{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23771DDB657F135C490BA26D8ADB446,SHA256=2DC7BCC83755056EF246CB43B7A9FB99B40790178D33B1A34937DFC2EBBE291B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047961Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:44.696{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA70DB8887FC7E5AD72BA1CE1C0CE2B,SHA256=3911432F43F1605FEAFDF5E876333354C05A6347EB3D6802A1007214911BAE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025496Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:45.952{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE62C3D669EF5F9163DC72DD3DC87799,SHA256=35D7A6CDF35E13C6D5923C9EC30856FE600D876705D98D27AC424337E6080576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047962Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:45.712{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FD26B2D8F75204EFE2E2E41F266F85,SHA256=6AFE01151553713A7A127AEB57ED15F5FBC7EADECFBA149A0CDA93FB8C10D37B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025495Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:41.637{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025497Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:46.968{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5013970C6150912FB6C5C8F65A0548A1,SHA256=A0D7DE9404708F7606E1B5D3E657B7C6197D591CFF343BEF835790929BF0E98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047963Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:46.743{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67A9BFFC827C207A0F15C2C1322A2AF,SHA256=36652C01CB4D97E1C93FD29395ED8CC186902AA14BB540647D7C8E94B05432D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025498Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:47.984{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB08984C59DC29CEF3C8E0B9D0B2CF9,SHA256=EC35A4FA1B76AB81918A6F0DAAF669FC74FA3FFA53FF71C21FA27F801E66E0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047972Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.758{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE9A753481E8554F7061FF645AF09E9,SHA256=B13B5D4CE1C8F85AC785619FE7D142A36BAECCDD81D8D3335E8DD31CF0EE559F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047971Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.602{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62A3-6140-F708-00000000F001}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047970Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.602{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047969Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.602{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047968Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.602{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047967Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.602{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047966Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.602{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-62A3-6140-F708-00000000F001}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047965Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.602{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62A3-6140-F708-00000000F001}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047964Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.603{C8F4C507-62A3-6140-F708-00000000F001}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047993Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.962{C8F4C507-62A4-6140-F908-00000000F001}322328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047992Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:47.298{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50589-false10.0.1.12-8000- 10341000x800000000000000047991Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.821{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62A4-6140-F908-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047990Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.821{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047989Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.821{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047988Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.821{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047987Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.821{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047986Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.821{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-62A4-6140-F908-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047985Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.821{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62A4-6140-F908-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047984Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.822{C8F4C507-62A4-6140-F908-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047983Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.774{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784A59C6907BCC93842AC78D4D73E0BE,SHA256=2278E0C7637E392B4B17DF66A8F6E9BC92AEBD6B920FF97CF1A5FC674A6D115A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047982Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.633{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C24050FA6ACF8D2C0824CD432B1672D,SHA256=F4DAF2555A05DE35BFF99532B07B0867B597E89A0C16E3E81E70625B10663E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047981Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.633{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E45C5EA729758AB60CBC6E246489F4C,SHA256=9011D127BA72819FB39E08EE09AF719E93B3EBFAF63D242D6E8060DF910B244F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047980Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.196{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62A4-6140-F808-00000000F001}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047979Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.196{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047978Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.196{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047977Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.196{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047976Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.196{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047975Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.196{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-62A4-6140-F808-00000000F001}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047974Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.196{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62A4-6140-F808-00000000F001}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047973Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:48.197{C8F4C507-62A4-6140-F808-00000000F001}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047995Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:49.837{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C24050FA6ACF8D2C0824CD432B1672D,SHA256=F4DAF2555A05DE35BFF99532B07B0867B597E89A0C16E3E81E70625B10663E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047994Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:49.790{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBEE94B6FF8416B61B0F90FB538EEBD,SHA256=0DFE40A5981CCFE07E9095F8DDE90549D747FAF83E0F6103B3B1E5D7DA28F10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025499Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:49.030{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69DE48CFF5E3AA112650E0D5E75257F,SHA256=5D0800A7F77F547F00A2D5D36DD884A1844E5D2B0D56EBDB25C0430F7AF8B030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047996Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:50.805{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C03C13B35F5B383BCF867F2580852BB,SHA256=188EEB11FACFFB996783B27DE3990CCE80CF3EFAD04ECD1C6F2E0EA25E0E6543,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025501Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:46.760{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025500Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:50.030{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1927E89632F79BBAEA2CA46DBE431580,SHA256=DECBB2587741E08742858F1A8253CE1A83BED4AA53C6F73F7F9F1D023B39525C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048007Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.821{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964353EDEF3A373995AD703FE5ED730C,SHA256=313196F61FABC6CAB0190D677E6449474420E1788425C5AD67F0AD54B73008E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025502Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:51.031{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAA2D3C61AEF41210C82035B4E17870,SHA256=8D7886EA60CC22E242BB2E59E8564E5908A303FC503E4FD9C767EE5C979FFD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048006Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.571{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9614B4FEDA3358194931658131AF6990,SHA256=A8144AD944C591B28FB889E4E65D20FD2E907A6FC86AB1AA030BA66A32CDEA90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048005Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.493{C8F4C507-62A7-6140-FA08-00000000F001}43641112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048004Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.337{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62A7-6140-FA08-00000000F001}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048003Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.337{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048002Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.337{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048001Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.337{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048000Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.337{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047999Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.337{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-62A7-6140-FA08-00000000F001}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047998Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.337{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62A7-6140-FA08-00000000F001}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047997Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:51.337{C8F4C507-62A7-6140-FA08-00000000F001}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048019Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.837{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51751B6FB33C5FB6EBA81E7D2F3756A6,SHA256=26CA192875D28684BFFD0021EB2192F5E38E1DB4E937F08CA8CD2E180777176C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025503Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:52.046{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1BE61E610355823B3399D4156F6B1A,SHA256=0343680FE32871C8DA5D38F3B7C904FD07FDF8233912C09B0A2FBA4FC5BC16DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048018Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.758{C8F4C507-62A8-6140-FB08-00000000F001}64645028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048017Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.571{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62A8-6140-FB08-00000000F001}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048016Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.571{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048015Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.571{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048014Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.571{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048013Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.571{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048012Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.571{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-62A8-6140-FB08-00000000F001}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048011Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.571{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62A8-6140-FB08-00000000F001}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048010Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:52.572{C8F4C507-62A8-6140-FB08-00000000F001}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048009Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:50.658{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50590-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000048008Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:50.658{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50590-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 10341000x800000000000000048038Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.852{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62A9-6140-FD08-00000000F001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048037Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.852{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048036Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.852{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048035Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.852{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048034Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.852{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048033Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.852{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-62A9-6140-FD08-00000000F001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048032Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.852{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62A9-6140-FD08-00000000F001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048031Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.853{C8F4C507-62A9-6140-FD08-00000000F001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048030Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.837{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B21131DC87DB47B9ADA0567AD540CDA,SHA256=D4FE4DED73142185204E493B90873DB7A039DDB8E325194F75F4B8625BF75E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025504Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:53.062{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13076A53DC087668538FE3FB704AE4D,SHA256=E22D520671B42A3B2CB4AE7B7EE10221C12F97167553B7131FBA8B0A2215289F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048029Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.571{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C3A47CA24726C1C5EC5E53B80BD4DEA,SHA256=E483D8EB9EBCB04548EDBE1D7D404E06113E8A32E2F2BA565D3DC648FC4EAE6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048028Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.399{C8F4C507-62A9-6140-FC08-00000000F001}70565388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048027Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.243{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62A9-6140-FC08-00000000F001}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048026Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.243{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048025Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.243{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048024Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.243{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048023Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.243{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-62A9-6140-FC08-00000000F001}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048022Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.243{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048021Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.243{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62A9-6140-FC08-00000000F001}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048020Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.244{C8F4C507-62A9-6140-FC08-00000000F001}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048040Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:54.868{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CCF54F6E354DB6A43634422D641BC95,SHA256=2F843B1F9DE801C5A87A3974DE8C2F6852E59613FFCA79896AAE577CDF959755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048039Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:54.852{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E3CF66AF21142BC34F89E2DC7B20FE,SHA256=1B22D78D021EBAA123BA642729986389F37800865FC90878F7431A09C4635A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025505Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:54.062{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3227C8B72AA67F962CE86AAFB8090825,SHA256=EC2BA23096BAE29992BF01B96D063601674004824F9819357FB81F4490FBBDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048042Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:55.852{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9EBEFAD052BDC6E10A88EA9835A74B,SHA256=0B9BC9A9FD4E14198EA8979B6745D309B1648F8C5D8CB8F30EEE97C03D7DAFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025506Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:55.077{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA871C2FEE9A20E7D6A6D3C45DDCBFD9,SHA256=F42BD85E724105DC6639D9E3377A86D388A4AE5E96C27D54A4ADBFC10E96B573,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048041Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:53.220{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50591-false10.0.1.12-8000- 23542300x800000000000000048043Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:56.852{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35016CF1D9280FCD46402CCA65FC55A,SHA256=C2CA467B2F1377435F7EB03C8E78F0474086DD9CFBE944AE1427EF65263DA21B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025508Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:52.760{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025507Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:56.093{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA26E9D26FDAAFA6675B4C4653C5A45,SHA256=57FE99272BB816DA6DA515D5AC983DD6EF47A42B75F6EDD78F4BAEA2B5705A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048044Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:57.868{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BEBFD386D037D08999D1D142ECC590,SHA256=F7F4D83180913727EA9F77DAE77E6150C791C98F96A767D85B36200F4C9DC52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025509Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:57.109{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217CF14CBB22DEE3D85619ECEB676D49,SHA256=72E966AA3D340AF4E27F0DC3B5139045FFD68F5D67ABD49CEC82C37158021427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048045Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:58.868{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EEBD3D8C446AA446B519D3C4D07802,SHA256=C7C68211466CAE5971A3B42473491FE017412D83E07649A3D0C5E2A0FE03E4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025510Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:58.109{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C030CD6803DA0BC8238EE7268928227,SHA256=1639FE86497C0E374EB8DA22DE5649B072C629DFAA59118C5A150FBC950BD744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048046Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:59.883{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE42FF233DD58737D621B6E2B5BADD4,SHA256=AA34003DA8B4324D97CC3A6568B5B32EDE8404760AAF831A8C7A96846ACBA633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025511Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:59.109{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3B62F35CEB49DC77CCEAB6FBD0D7B8,SHA256=985D4A92C35D6EAD5E7C8710992BD7EB4EA6F85B713EB677DC60ADCE7F64E70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048048Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:00.884{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7DEDE148DC404806FE7C2774FDF47C,SHA256=8E2984CFD6E7ACBC7F3C2E6DE846C9378F967460B986908EF0697A2F08444D75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025513Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:51:57.791{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50911-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025512Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:00.124{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF6A66AF8A05C2D5779F46FFA87473E,SHA256=F22AEE9204E68B2E23EDE2BC8BA889C74C9F9CA82FCB1C68992F5E0B835D9926,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048047Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:51:58.251{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50592-false10.0.1.12-8000- 23542300x800000000000000048049Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:01.899{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480E197E6095AAEB2A95EBCCBD6E60F1,SHA256=02FD50204275364533120A9BE133C019BA045A68DFE10CDD29151478A4422D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025514Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:01.140{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57067BC13AB340D9A8EFF33C40F968BB,SHA256=B98449CC0193913C1B48C5C9395CB621C7540C87CB06AFC77870D88DBB539B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048050Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:02.915{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED34705D148431E7217563B2040421F6,SHA256=557EB219A102DF0B48163CAD9CEFD48EAD640D215390B845A6AF4D2C8D39672B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025516Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:02.593{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=021CC929111C8A721CBAF4E79DBFF418,SHA256=5BEBE21507852E904A1E0CAAFAA04EE416D47E62FEE0B4BEE8F8A636A9FE39FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025515Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:02.156{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7545D67E0D6B74E77EFF36060F6FB3,SHA256=348B964A90D07297BEBE4AC8DD5CB1659D4F27CA4FE02992C7512D411EB3B2F8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000025527Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000025526Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0059ce7a) 13241300x800000000000000025525Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93d-0x67b25e1b) 13241300x800000000000000025524Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a945-0xc976c61b) 13241300x800000000000000025523Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94e-0x2b3b2e1b) 13241300x800000000000000025522Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000025521Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0059ce7a) 13241300x800000000000000025520Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93d-0x67b25e1b) 13241300x800000000000000025519Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a945-0xc976c61b) 13241300x800000000000000025518Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:03.281{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94e-0x2b3b2e1b) 23542300x800000000000000025517Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:03.171{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF096269B5F274EB1D87F07032E2671,SHA256=45ED1DF921B5800AAA6E2A63E11FACBAEAB77868B106A178DB2918463F7EB317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048092Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.915{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048091Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.915{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048090Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.915{C8F4C507-5C87-6140-B607-00000000F001}33723664C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048089Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.915{C8F4C507-5C87-6140-B607-00000000F001}33723664C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048088Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.853{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048087Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.853{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048086Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.837{C8F4C507-5C85-6140-AB07-00000000F001}44805876C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048085Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.837{C8F4C507-5C85-6140-AB07-00000000F001}44805876C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000048084Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.821{C8F4C507-5C87-6140-B607-00000000F001}33726844C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048083Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.821{C8F4C507-5C87-6140-B607-00000000F001}33726844C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048082Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.821{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048081Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.821{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048080Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048079Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048078Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048077Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048076Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048075Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048074Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048073Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048072Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048071Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4938-6140-0D00-00000000F001}904948C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048070Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048069Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048068Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048067Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048066Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048065Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048064Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048063Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-5C87-6140-B607-00000000F001}33724792C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048062Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.805{C8F4C507-5C87-6140-B607-00000000F001}33724792C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048061Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.790{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-62B3-6140-FE08-00000000F001}7156C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048060Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.790{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-62B3-6140-FE08-00000000F001}7156C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048059Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.775{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-62B3-6140-FE08-00000000F001}7156C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048058Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.775{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048057Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.775{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048056Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.775{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048055Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.775{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048054Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.775{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-62B3-6140-FE08-00000000F001}7156C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048053Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.775{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-62B3-6140-FE08-00000000F001}7156C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048052Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.783{C8F4C507-62B3-6140-FE08-00000000F001}7156C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{C8F4C507-4937-6140-0C00-00000000F001}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000048051Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:03.587{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-14_085156MD5=89BD21F2ECAFB15CAAAA0CD2DF9AB706,SHA256=71AF5FCC9F0C24D8ABD6C636A0E3DBBEBE8301D0914AD7E9563FE2580F0C5D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025528Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:04.187{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230836006AD7E9EB5A30C98DA2980C05,SHA256=84E40BDECD13624DA6267D0509F77B6113860F5F37618D3D5A07529989C77712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048096Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:04.782{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFB5BA8DB743C4EEC46029A46DC26125,SHA256=B37EA62949DB67388CBCA620512626A762C961F8C4C1E7B5DCD5F809D83320FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048095Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:04.782{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2D8BA8CDEF15E908305A1E6D9E17923,SHA256=DDAE90AC7ED4416ABAF071640F6B6E397C709BC78CED7E17240A4C879EE2F4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048094Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:04.227{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEAB7885A63DD4A71AED201866026D8C,SHA256=8A899F4D9D53FFF4CE8D8BCED4B8242C5707104F41FDD4A9B92382FB3DEE685B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048093Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:04.227{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DD874C10D346BDBA5D6C81A0B81B36,SHA256=E74E99DC2BACD3A7E147F4202C6CA29F8A24E0DC93D7FEE585FB6C1C51FB6BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048112Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.235{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566C85884ACE2D9A863D66E2D7B739FB,SHA256=2E367E4CEF8A6D88BDBFF1CCF8893576DEC892742A52880DED911AB7FD5053DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048111Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.235{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048110Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.235{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 354300x800000000000000025530Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:02.792{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025529Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:05.195{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C027E4AEA71257631290D3C2A4F64B,SHA256=23EDDC7E1D69A7C6C9355F99156164CA2E8795504D1782D967D01241230D346D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048109Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048108Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}33725940C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048107Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}33725940C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048106Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}33722788C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048105Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}33722788C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048104Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048103Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048102Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048101Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048100Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048099Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048098Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048097Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:05.220{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025531Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:06.210{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD90640CBB9D1C5A5BCE9564DD9E930D,SHA256=88B9F61858D4DFAF80CD7FB97614C7E44F825FF46BDADC5C64A5E5F0248C6CC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048116Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:04.189{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50593-false10.0.1.12-8000- 23542300x800000000000000048115Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:06.251{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FF36C29C56B66423783EE97AA97BE0,SHA256=F19F0493324594DD052E15BB18BE5EB925D7A3C3AC49252FB0FB7AABE77C22E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048114Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:06.048{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-14_085156MD5=2533262BB74A50DE92B3A3BB37075033,SHA256=231EF9F66D87C473CE50C7395F0F737659C3040A506F931FCBA2A34C8512D7FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048113Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:06.048{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025532Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:07.226{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFCEC477A1F0F58463352A76D97600A,SHA256=1E5BA529F41278A8BE5741196E49D886E5C7B69E07E87444C5792A8C937A408C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048117Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:07.251{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED737ED5F32FB96B978E9E7F375AFCA0,SHA256=296BA360C62C0762F3E9A963818C796EAB163A7FC92242350289134A965F45CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025533Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:08.226{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8149584778D7166F00CCC9888AA33C11,SHA256=51FBDF82E1FB4F1DB2D6C173DA71F266B646F09062234A405D71C7005A83D416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048118Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:08.267{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4F6DCB1591F997CF4252722D1716D8,SHA256=46282E34103B89F7D4A8609BE1E2236243753E99EEEE04E38FDD55EB7161B979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048123Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:09.376{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048122Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:09.376{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048121Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:09.376{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048120Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:09.376{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000048119Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:09.298{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E98F5076C65CC00A1307E5AA093E590,SHA256=BD68E9F455A11C7C4D1ED4E61A5BB315AC9F1735D426EC5BD153D20C68B148FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025534Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:09.226{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DD9E862F233F9F209215C9CA18DD8D,SHA256=24F3CB51903A890F524B3C3D0E61E27BE865370F2AF942F160102BFD98AD34D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048134Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.563{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048133Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.563{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048132Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.563{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048131Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.563{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048130Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.563{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048129Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.563{C8F4C507-5C86-6140-AC07-00000000F001}40445792C:\Windows\system32\sihost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048128Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.517{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048127Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.517{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048126Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.517{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000048125Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:10.376{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6D06684628E82D76E9350C7233B09D,SHA256=D81325FEDD3C70B9CB7049687A7921C73AC75ECA751A8AD2A2F949833A9544E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025535Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:10.242{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA857D62F41E7CD4E4CE4D4BE6458FF2,SHA256=4D7A011D6A8FDF9BAD1A5EF54C8A41A6BC3A0C5E226E10ABDFC22E7460F80F3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048124Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:09.259{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50594-false10.0.1.12-8000- 354300x800000000000000025538Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:08.674{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025537Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:11.617{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025536Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:11.257{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD590C6E493F5032FBD195C42D589BA,SHA256=E9C8F0162FD5ACB4A8A789604ACB3695F916AE7484AE1969FD5736E268961FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048135Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:11.438{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CFEF596AACEF563680D3DF2E0430EF,SHA256=9A9CF7DD47A599D71C5074BA61A0BE43858E2B9DE4EBCE6F684CF919B005A432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025539Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:12.273{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446E0A4EF1AB8CA0C3E45695FC10FC64,SHA256=1B3D6396C58996DD127327F3BBF02A6612DB39267DD93ED8A0D3B2105E85EA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048136Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:12.438{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2585220ED861CAE01A815CEA5338528B,SHA256=8D7A9506E348F31B79A90A9C3B4AA724E2F8485060A3E53BF74A9C42F0EC7C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048137Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:13.470{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332167A544E258041F996D28EB932D40,SHA256=1B7F8A01BCF901C57760922BB4F0F148157D6F9D8AA76EC4F5A3B3D745519049,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025541Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:10.158{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50914-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000025540Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:13.288{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBF54EFEFDBFAE15004D8CD69DD78E5,SHA256=A6F536D4C97F5F5DBFAD4DBA2D46272CD343D2CB05F8C1F9A67D5AAE82EB3892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048138Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:14.485{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83A84E5497CBA948741F89DB913F60B,SHA256=CACF4E10E8A1A0E32B9FE254C0AF7653E4D267293F2D3556CC5D782BDA773AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025542Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:14.304{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2A2FE063B6589222F333C49B9F33EA,SHA256=E427B4372B0D23AA1629390C02E4944033337B9DCAF4054FB0F0ADBF0610C2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048139Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:15.517{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491AF7CFB6C3E29F619DD477E1E98125,SHA256=BBE36063B1FE25855A37A869CF498F8F85557B35B482364E2086301517D01099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025543Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:15.320{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF52717650D6246C977FDAA86683A00,SHA256=FB1495E63B1C6865176C0A70198D226B5284D544C5FAE8F92AA9F7536B8A1433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025544Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:16.335{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847F2D2E77ABC12A51296E8299BCEF8E,SHA256=64ED1D62BB70AA01AEC7587DEAA5A368CC300BEE37475EE15BE5D358E41D67CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048141Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:16.532{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96DF974810EC83133A34E049F2598F4,SHA256=C994BE320680B1CD9B3092933C74FAF46478AFFC0DFC94051A66876D7DFAC467,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048140Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:14.322{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50595-false10.0.1.12-8000- 23542300x800000000000000025545Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:17.351{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50484290E57EC7E4136A94D29D9AF1AB,SHA256=DF1B674A8C06B3BDC0A2D0F09094E60945E36D0C7F2CB8257A655617DF30D61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048170Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.642{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E86DFF28FBEDD017AFA9186DAC8A5C,SHA256=BAAB1ABAA0D60475D65FACF2C77E1A5C0F8D50763BF1D0E69D5F3A8FD7BF6C4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048169Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048168Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048167Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048166Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048165Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048164Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048163Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048162Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048161Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048160Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048159Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048158Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048157Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048156Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048155Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048154Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048153Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048152Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048151Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048150Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048149Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048148Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048147Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048146Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048145Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048144Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048143Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048142Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:17.517{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048171Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:18.642{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6436040FCCECE381587D4EF6148524,SHA256=D8DADD88AC43DE4A0451AC84180A666A941986F4767EF9940B310E9003589FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025547Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:18.367{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA70783977E57DC16947B9884C40F7D,SHA256=5C2BB8F087BAA4D7D8D80D0415CFC96AB0F81C023F0A1F10883384B5DD1F0FFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025546Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:14.611{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048173Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:19.658{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A05D37672ABE80EB430F4AA8C6EC3F8,SHA256=8F9B2776B737CAF72BFA5F8EE1AC5B3E64E31A4E00FDD4E673880871CBF7B9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025548Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:19.382{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4B3AA21759F1FE66CA20627F3B5621,SHA256=02E1B1166568549765C43562A6D00DAC8CE71B089C4DBA5D5EC19B0E6897B112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048172Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:19.457{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-105MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048175Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:20.672{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269AAD9874E71D1E4A9422B0EB1CAA19,SHA256=C86F2C42746D4D80FAAC78C815B89A21C25CC7B89247092EEF5D2153B3C003E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025549Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:20.445{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3179C27940B8812DCBFE5514C58DFF9,SHA256=7ACE87C7201DBD3D33EBD420972A56344024FD3E48E4807C2F630DC54EED9465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048174Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:20.472{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000025551Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:52:21.617{4A7D70D7-4BB8-6140-1100-00000000F101}984C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a945-0xd4a580b2) 23542300x800000000000000025550Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:21.460{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0F6F970B82E0338C70EB8FF6876203,SHA256=F8B965820B5F9042A703CC30B2DB772AE871964C03E84D7DDD4E8196E063DC8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048177Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:21.676{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD87DE3668744178E97A7DB8010A70DC,SHA256=154E38F4EA8865E0A1758AC09EF8766E610844BDED7A9AC8F2D75B4DC9D080DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048176Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:21.160{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DF960189DE23858CEAF0BA97FE47B5A1,SHA256=812D8FD054F0A3207534B6511D760758ED82F19FFB07A3AE173C346B4EE7130C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048179Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:22.707{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B05E3E92B76E0BA7F529B0C58088AC9,SHA256=6524FD048C9E1DDA07107BEB262C6DA05CE11436950E1679068F1D64D671B499,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025579Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-62C6-6140-6106-00000000F101}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025578Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025577Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025576Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025575Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025574Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025573Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025572Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025571Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025570Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025569Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-62C6-6140-6106-00000000F101}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025568Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.742{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-62C6-6140-6106-00000000F101}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025567Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.743{4A7D70D7-62C6-6140-6106-00000000F101}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025566Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.586{4A7D70D7-62C6-6140-6006-00000000F101}30002888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025565Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.492{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD93D908D6E9A907D3A2960B1D81EB57,SHA256=34FD33139DC444A7C722F5426D404216BAD555247D7D63E833FB44DED309EF8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025564Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-62C6-6140-6006-00000000F101}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025563Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025562Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025561Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025560Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025559Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025558Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025557Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025556Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025555Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025554Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-62C6-6140-6006-00000000F101}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025553Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-62C6-6140-6006-00000000F101}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025552Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:22.242{4A7D70D7-62C6-6140-6006-00000000F101}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048178Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:20.276{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50596-false10.0.1.12-8000- 23542300x800000000000000048181Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:23.738{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046A87D504C1721F450D6494876C43F1,SHA256=DA6262C54CE26BEF1322C39BC7023253958C5C74F0AE340CB1CE5B4BCE98E4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025598Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.632{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD866B486DE890E5134C6BAA5023637,SHA256=8E1A7D1BC85522EEE4E16ABDACE8187ECA356E342C7CD103A1DFA5E0383F3941,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048180Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:21.712{C8F4C507-4938-6140-1100-00000000F001}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-158.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x800000000000000025597Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53EAF56E4345CF96B1B6198AE4E0BCB,SHA256=3C48710094C1CA61DAB54ABA059E14474600CE72A22EFF60743DBF3E9B7726D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025596Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E286306C9B0E61BED40915F3230AA7D4,SHA256=14AB72ADF522E0426DFE35DB3ABDAF9D42183E047DA5487252445F183F364F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025595Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-62C7-6140-6206-00000000F101}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025594Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025593Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025592Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025591Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025590Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025589Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025588Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025587Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025586Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025585Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-62C7-6140-6206-00000000F101}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025584Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.257{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-62C7-6140-6206-00000000F101}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025583Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:23.258{4A7D70D7-62C7-6140-6206-00000000F101}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025582Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:20.158{4A7D70D7-4BB8-6140-1100-00000000F101}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-574.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000025581Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:20.158{4A7D70D7-4BB8-6140-1100-00000000F101}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-574.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 354300x800000000000000025580Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:19.814{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048182Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:24.765{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738BC88E96F1C0099669A34C2A9D95B6,SHA256=E69E7948EADFA32CFC4E71BE50EAF96EDEA2039FE42936885508FEE90558BF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025600Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:24.771{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E313FACA9BCD7B01F36BC092287712E7,SHA256=88E0D7A127E5E1CDDC387D547D9ECA61CA7DE16762DC0842736D76BD3B694F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025599Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:24.445{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53EAF56E4345CF96B1B6198AE4E0BCB,SHA256=3C48710094C1CA61DAB54ABA059E14474600CE72A22EFF60743DBF3E9B7726D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025615Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.787{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA93A6F90F1ADC2F70A7060D8CAF74DA,SHA256=42139ACCF80524E911BBCB2DC1637AEDE54E45239AC9D05606020A15499C8696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048183Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:25.765{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F842D26367ECCD38B501D37FEDD3AC3,SHA256=F17E5D49EC3BDA11C371B4BCDE5E1849FFEB001A51981BE2BC24188F63702891,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025614Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.662{4A7D70D7-62C9-6140-6306-00000000F101}39282164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025613Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-62C9-6140-6306-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025612Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025611Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025610Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025609Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025608Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025607Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025606Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025605Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025604Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025603Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-62C9-6140-6306-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025602Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.506{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-62C9-6140-6306-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025601Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.507{4A7D70D7-62C9-6140-6306-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025644Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-62CA-6140-6506-00000000F101}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025643Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025642Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025641Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025640Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025639Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025638Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025637Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025636Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025635Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025634Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-62CA-6140-6506-00000000F101}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025633Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-62CA-6140-6506-00000000F101}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025632Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.850{4A7D70D7-62CA-6140-6506-00000000F101}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025631Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.803{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFE4DC9017D78E6C1018FC1D5C03611,SHA256=4D3E696F877DF15A58523231B0A3CA1464FDC9A67ACA6BD0ACF25A778424F1DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048185Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:25.289{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50597-false10.0.1.12-8000- 23542300x800000000000000048184Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:26.796{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB423FA4CA699DF4A3F8805F2C0F091,SHA256=7715667052D90DAC948184D0BD096EC25553D022FC8DEE99EDC9EA5ACF8FFA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025630Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.537{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1379DC2AEE765EF9184B961A5173DF68,SHA256=926A5623EDDACDAA8D2B40DFC2058053B28946798C60D888AD94611CEA6C1EBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025629Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.350{4A7D70D7-62CA-6140-6406-00000000F101}3300736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025628Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-62CA-6140-6406-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025627Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025626Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025625Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025624Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025623Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025622Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025621Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025620Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025619Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025618Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-62CA-6140-6406-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025617Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.178{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-62CA-6140-6406-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025616Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:26.179{4A7D70D7-62CA-6140-6406-00000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048186Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:27.890{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE780C435F3B7F39E1CF2F18D5DBA4F,SHA256=B02422D4CCFB99ADBBE33BCD7235B93A5CAEC1CBF47AD68A8079B4AF22A69050,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025658Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-62CB-6140-6606-00000000F101}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025657Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025656Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025655Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025654Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025653Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025652Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025651Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025650Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025649Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025648Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-62CB-6140-6606-00000000F101}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025647Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.709{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-62CB-6140-6606-00000000F101}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025646Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.710{4A7D70D7-62CB-6140-6606-00000000F101}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025645Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:27.053{4A7D70D7-62CA-6140-6506-00000000F101}23723824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048187Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:28.890{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F253E46F0B5DEAFAB2FB2A1D12B33D8C,SHA256=9AD321FEB49A454BD1B7253C97C9BE1E0F9DCD8A9542BCA311E29144F2B1C618,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025661Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:25.641{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025660Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:28.068{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=762873D70575AF41A5E559EC739C1A96,SHA256=9BB029B8DD117ED3CDFEE1A7804CEB2C3071AFD6C280A4EF117A46BB3645BE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025659Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:28.037{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8911DA9D1A786FBE04A6F0D059EA7FCA,SHA256=24D2A67DD90CBFD41D1707CC9962ED32C07EEA003D2B01B1216F320BA4436A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048188Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:29.984{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE0CF4978253E95FD0C88B84F902DE8,SHA256=C972C0E74D2930A381AFA96DBE08F6B1F9456F90F7D068B10AEA1C095D9C5818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025662Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:29.053{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46EDF2C54FF7EE843E55052645EE91A,SHA256=849B7E1C18DD24451554E2F8374100D00846C7122E54C9FBD90677FAB7BC1F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025664Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:30.558{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-095MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025663Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:30.055{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4954CAFDFFBB763E1F9536E96D242C,SHA256=EF864424D9B6EB2CB276BD1EF524A39339457423066A47B0BD8AF9AAEF01B405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025666Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:31.557{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-096MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025665Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:31.103{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA3F8D4EEAC69C3C239416DF6BD0599,SHA256=A0BF4447EBBAE52CE5117223E462886C04FA82A32B96E21AC9E521FEFF9D436D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048190Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:30.336{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50598-false10.0.1.12-8000- 23542300x800000000000000048189Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:31.000{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732C15CAB97942879EBF49600C59D15D,SHA256=AF080FD81B29028673C1A9D542B2FD66467167E1AC2FF48F1F87B696BF684BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025667Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:32.134{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA32DB972ABDB9A11A787309F31D7FC2,SHA256=45ADEB603E255ADF4B88C1EC6CEF18D9655E254CBD6D00A475646BEC54290506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048191Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:32.015{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC53333EC4110EE5BEE6D343B11B0189,SHA256=A3E7A320BA05DFBA19C643F455BD4320F07BBC887B233E4122CE3971F91A256E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025668Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:33.181{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD9B1507FEA4295CF4154C05A893B36,SHA256=88D23B8F1070FAB66326B3DCCDF565A09431367511B876C0A23EB9682DAD89FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048192Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:33.031{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B740AD032521A2A89B71885121FB88,SHA256=62B770C69EC31FB8BCF8B6D412443FDFFE64F16260D38D9568BA62FB15B1E79D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025670Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:31.644{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025669Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:34.227{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1286BB774877C1A5C9F3B60FA9DC8BA0,SHA256=CA8E8D1AC29EEFE9D2A5EB8AA0DEFC201D88C1235C4E76B2159D523BCE51B221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048193Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:34.046{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCAA1824DECA35C1FA106BF69CE3880,SHA256=7E2242E37912D5FD96D6EF50D9D4C843ADAA6508B1C9E9F5EC6D9C7E2C4AF6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025671Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:35.243{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809EC2BEAF019BE1C8C4BAB5B1452F3F,SHA256=D3BA602761C8FB1B685EF8E75B01D8966A107851F61C299130E037B46ED90052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048194Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:35.093{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8B06A8A4B1421722C344A0ABB69769,SHA256=0C97B97A51BA5208B0E32F6C93676BB6548FC14020CE0DEB08FBCAD473243E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025672Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:36.259{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C242B0720D52987F495D3B535121455,SHA256=BF0A355EB6F7A853664B83101BA7057184EC91A64CD9B68F7FB02F2097553962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048195Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:36.125{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D00E857EADB6D989E9D11BCFA8E721,SHA256=BF7C3D700BF2D9DCABF75AA4B087DF11CCDA60330E5ADDCFA996DE18F0A3DFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025673Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:37.274{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D35C4952A72080A3A2FAEADB74D8108,SHA256=EAACBD597A9134DEB6F51FF4056B389C9506BA4E22613FB63400E6A00E21AB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048197Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:37.125{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B287FA74D957B91BD15A3F2B5608EFC,SHA256=2D7773B75B3D55907EBCB5D03985EC8C779C25AB3493D1237A0D35BD076A86B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048196Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:37.015{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025674Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:38.306{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67236880F60FEB848F7D7D25038AE39,SHA256=FE4525AE0903162559BE251C789902BADCCC8733BDC3E127FD0EF66DED0FE121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048199Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:38.140{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20EBF6427EF3499C467A9720215174C,SHA256=7A6950555422B1A4BB35CE7B4273482774C7C9D74B7742880010F8D41AA72A25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048198Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:36.305{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50599-false10.0.1.12-8000- 354300x800000000000000025676Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:36.753{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025675Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:39.352{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32218DAA1830A315B7878903635637EA,SHA256=B8C7DCBDA9E11D37BD4A0C57014ABB539A17788EF710C15C8ADDE776C19EE8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048201Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:39.156{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C3158A0EB0AC5FA167B16DCECF5929,SHA256=2CCACED04B488F1148D337B2B455634CFADCDC4B7740244DFAC7096E8C3B8708,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048200Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:37.118{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50600-false10.0.1.12-8089- 23542300x800000000000000025677Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:40.368{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E23E2D1219EE94A2F55FE826B580C1,SHA256=E82A3AC39823A365B39DD9444CADD81FB57A4CB6CEB019A4DABCA424FFF9C60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048202Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:40.171{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8208D27F6B9D9C8BF8CD0F8B867328,SHA256=683B43562888AF86EF5A6DB2101FEF059319273E46DFD2DB7588710044F7D23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025678Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:41.399{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0EB5C453AF4463899302F77B3641E7,SHA256=C3BE00369BB2AE708461F1076B4A294411C2B79B410E6269F8EDFE72965C617C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048203Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:41.187{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16585753E5EA899251EFEE2313C53F4D,SHA256=853897026D2869B9D2B7D48D7495E86C2475B5E4EF8F0CF19FA52C6E751EAA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025679Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:42.415{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A700BB1DB46578AC700F7386F6F33BB1,SHA256=212DF1E5BF7BB3BC0ADB73B54ED2445DCB5CBFF627DA9615869BD0A8D418647E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048205Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:41.336{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50601-false10.0.1.12-8000- 23542300x800000000000000048204Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:42.218{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AF5B00B8A1FD0D79AEFFDAB2B3D30C,SHA256=30439184503666D2F0AE9C2496CC84993FD1789A9D2B2E6D7A3BECE1AAFC3994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025680Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:43.430{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26660909BD3C45B1B2F27B10AADB157,SHA256=C65C273EE63A89399DF794013F9B979BE76CC99A423187FE2B4708282D1C5EE0,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000048207Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 08:52:43.796{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x800000000000000048206Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:43.250{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B923464BA7B0DA101614A4FFEF999B,SHA256=76947A48C922B21B5FBD2B47526FECE3681697372A5951E1D048B1F207EEEEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025681Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:44.462{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A934A8F9A0FC34C3EECD4C59D5AA6976,SHA256=C688A113005EE0A211290662182CD58C04B82D52632813E011600BDD234E0029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048210Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:44.814{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE176543C44EB978E885EB77DAFCB769,SHA256=6EBBA66AD6A7EEC95216D6C43A3ECFEC7B50346D4BECEB614F010FAFA2EA575A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048209Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:44.814{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4ABAA3306D4472EF769A126A2A8A97B6,SHA256=3A16BC7B0EC9B9AF12BC54C1AAF6C5C4436E797F437BD50ECF9264B0F1233FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048208Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:44.281{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46317D7D29B43DD08F7C8D66B09A3328,SHA256=212BB22C2BF0CCBFEAF673A3D2710522BB3932640C6FD410F4C2CB2B9E3FB705,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025683Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:42.613{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025682Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:45.477{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4579176A0B6C9AADB1084A4A2A2874E2,SHA256=DFD127D4391B39A84B5F6390AAB5FC15958AB332FB6BE56BE0275D395C80120B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048211Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:45.283{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452EF72B320A56A2958A49BB162649C3,SHA256=1036AEC40ACCADA43D75ABAE28CCF8A04F33F5F69EEB474D8A0392E088810808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048212Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:46.299{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D46943A96FC94BFAB68D4B663DAC20,SHA256=D8F7CE983B4DF26F7834C21EAB05A09385DAEE8BB17BC7E8285036AAF6AE5A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025684Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:46.524{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D334B49A87E14A629A9BC23E4AB7C2CB,SHA256=4E01FED981D57A8F2D28D242A69D4BA19FB1021A6CA2FCD01F4C6341D37FBFB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025685Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:47.555{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438E26B00C7AE5B2121C10FDB6B8CEA9,SHA256=1BE6672260F608F046D71A2D1143FED0936F7ADCDE9CD482CF1732DED6C49322,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048222Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.861{C8F4C507-62DF-6140-FF08-00000000F001}67726532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048221Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.611{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62DF-6140-FF08-00000000F001}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048220Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.611{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048219Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.611{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048218Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.611{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048217Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.611{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048216Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.611{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-62DF-6140-FF08-00000000F001}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048215Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.611{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62DF-6140-FF08-00000000F001}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048214Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.612{C8F4C507-62DF-6140-FF08-00000000F001}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048213Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.314{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84E0F6503334FBE178E837BC9598CF4,SHA256=B9BC441E255D47A985B95D433D083872F87C998AE7762B7F272897A602658B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025686Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:48.586{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7B620772A90CBBADC739D17AA7727E,SHA256=A9F293CC561FAB5D4DB8CD441E2BC267B20079DDEF72CBA6F2F2C4EC43FD5135,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048241Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.783{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62E0-6140-0109-00000000F001}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048240Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.783{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048239Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.783{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048238Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.783{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048237Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.783{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048236Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.783{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-62E0-6140-0109-00000000F001}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048235Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.783{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62E0-6140-0109-00000000F001}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048234Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.784{C8F4C507-62E0-6140-0109-00000000F001}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048233Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.642{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7FE76F63FCB061B25AECFB804F18222,SHA256=19592DDB614141DC1731556DE317BB0AD427E36076218EA952A1952D00F2DD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048232Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.642{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFB5BA8DB743C4EEC46029A46DC26125,SHA256=B37EA62949DB67388CBCA620512626A762C961F8C4C1E7B5DCD5F809D83320FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048231Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.330{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BAB3C1533AD7FE3C9D1F332A82BBE0,SHA256=B071BB3EBAD83B42EBF9C502FD2162DC9288A7C7D7568AABEC186B5CF2888A0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048230Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.127{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62E0-6140-0009-00000000F001}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048229Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048228Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048227Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048226Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048225Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.127{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-62E0-6140-0009-00000000F001}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048224Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.127{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62E0-6140-0009-00000000F001}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048223Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:48.128{C8F4C507-62E0-6140-0009-00000000F001}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025687Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:49.617{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71E984846045E04C1DFAAD0B0551FAF,SHA256=8BF96C46EE6519E64B924C341FCC2CE4C0BF708DCE7058CA77B8B0D9E5562F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048244Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:49.814{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7FE76F63FCB061B25AECFB804F18222,SHA256=19592DDB614141DC1731556DE317BB0AD427E36076218EA952A1952D00F2DD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048243Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:49.361{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E948FED6F50DC4D330C42530873FB30,SHA256=5251CE97C520A65194A6E8981E1DB2650FF3891F525273D922D7AFBA75B3FC40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048242Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:47.167{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50602-false10.0.1.12-8000- 23542300x800000000000000025688Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:50.789{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F923A2D8162AA44AA300CD120B32862D,SHA256=38234A511A3F282BABC078B5C52E2ADB5C42D60BCA3C1FA1A6FB24063B440697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048336Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.377{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70715CC40C93A1208D200B8279F4D148,SHA256=D5FC736CE01E2408C09A7F55A86D35BA30F5C29F25CD9E805594811FF4983A44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048335Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.377{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048334Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.377{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048333Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.377{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35224362D249BDF3CA185BFAF5CA3C27,SHA256=D0C96232B76659295BDD5AE5E9B59952D79F3EE20269A64E43514D3B74E49545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048332Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.346{C8F4C507-4938-6140-1100-00000000F001}4085572C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048331Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.346{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048330Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.346{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048329Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.330{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048328Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.314{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048327Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.283{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048326Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.283{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048325Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.283{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048324Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.283{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048323Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.283{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048322Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.267{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048321Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.267{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048320Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.267{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048319Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.267{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048318Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.267{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048317Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.267{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000048316Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:52:50.267{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITSb32bfc89-9a93-4ac7-97f4-21c09108ff9c 10341000x800000000000000048315Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.252{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048314Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.240{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCBCDF46A7EA7E33CA2EAC392457755,SHA256=F0D1E269475CC29A6EDB6E85CF8A321AC16CBA8DAA6766A91E81FA4104C83981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048313Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.205{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0709-00000000F001}5368C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048312Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.205{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-62E2-6140-0709-00000000F001}5368C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048311Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.205{C8F4C507-62E2-6140-0709-00000000F001}5368\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x800000000000000048310Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.205{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-62E2-6140-0709-00000000F001}5368C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048309Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.205{C8F4C507-62E2-6140-0709-00000000F001}5368\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x800000000000000048308Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.189{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048307Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.189{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048306Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.189{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048305Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.189{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-0F00-00000000F001}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000048304Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.189{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048303Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.189{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048302Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.189{C8F4C507-62E2-6140-0409-00000000F001}4236\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x800000000000000048301Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.174{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048300Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.174{C8F4C507-62E2-6140-0409-00000000F001}4236\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x800000000000000048299Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.174{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-62E2-6140-0509-00000000F001}5652C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048298Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.174{C8F4C507-62E2-6140-0509-00000000F001}5652\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe 10341000x800000000000000048297Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.174{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048296Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.174{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048295Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.174{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048294Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.174{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048293Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.158{C8F4C507-61C9-6140-8D08-00000000F001}37283840C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe{C8F4C507-62E2-6140-0609-00000000F001}6652C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe+157c6|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe+15dc6|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe+16237|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000048292Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.158{C8F4C507-62E2-6140-0609-00000000F001}6652\GoogleCrashServices\S-1-5-18-x64C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe 10341000x800000000000000048291Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.158{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-62E2-6140-0709-00000000F001}5368C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000048290Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.167{C8F4C507-62E2-6140-0709-00000000F001}5368C:\Program Files (x86)\Google\Update\GoogleUpdate.exe1.3.36.101Google InstallerGoogle UpdateGoogle LLCGoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource coreC:\Program Files (x86)\Google\Update\1.3.36.102\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=5A25AEBDD889EFDA40F2A57297A32422,SHA256=60010099B97DA759EF15414B4E73E73C204CD021D9BDFDAF568122863F2DF9DE,IMPHASH=7DF1816239C5BC855600D41210406C5B{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c 10341000x800000000000000048289Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.142{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048288Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.142{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048287Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.142{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048286Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.142{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048285Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.142{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048284Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.142{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048283Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.142{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-62E2-6140-0609-00000000F001}6652C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000048282Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.140{C8F4C507-62E2-6140-0609-00000000F001}6652C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe1.3.36.101Google Crash HandlerGoogle UpdateGoogle LLCGoogleUpdate.exe"C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe"C:\Program Files (x86)\Google\Update\1.3.36.102\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=A6D200216BB05B98E4DDC264EB4D8E33,SHA256=AC32FB15CD5E2062B3A71F4C66CCEEBA6D8E95B9E81EF966F254DD695721BD13,IMPHASH=96E78EF1F5E1AA266508EE202B394091{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c 10341000x800000000000000048281Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048280Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048279Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048278Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048277Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-62E2-6140-0509-00000000F001}5652C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000048276Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.137{C8F4C507-62E2-6140-0509-00000000F001}5652C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe1.3.36.101Google Crash HandlerGoogle UpdateGoogle LLCGoogleUpdate.exe"C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.36.102\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BC53B070A9A7E85E0CAE2514ED44E4E8,SHA256=F443F951DE2432747FBCE2D30042810209A3742C81E885011C2EC949F25EEED8,IMPHASH=B2C58EB18E4964057E8DDC4DBCCF9F8E{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c 10341000x800000000000000048275Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048274Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048273Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048272Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048271Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.127{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000048270Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.130{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exe1.3.36.101Google InstallerGoogle UpdateGoogle LLCGoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /crC:\Program Files (x86)\Google\Update\1.3.36.102\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=5A25AEBDD889EFDA40F2A57297A32422,SHA256=60010099B97DA759EF15414B4E73E73C204CD021D9BDFDAF568122863F2DF9DE,IMPHASH=7DF1816239C5BC855600D41210406C5B{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c 10341000x800000000000000048269Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.111{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048268Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.111{C8F4C507-62E2-6140-0309-00000000F001}2840\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x800000000000000048267Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.111{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048266Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.111{C8F4C507-62E2-6140-0309-00000000F001}2840\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x800000000000000048265Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.111{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0209-00000000F001}6644C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048264Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.111{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-62E2-6140-0209-00000000F001}6644C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048263Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.111{C8F4C507-62E2-6140-0209-00000000F001}6644\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x800000000000000048262Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.111{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-62E2-6140-0209-00000000F001}6644C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048261Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:52:50.111{C8F4C507-62E2-6140-0209-00000000F001}6644\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x800000000000000048260Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048259Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048258Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048257Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048256Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-62E2-6140-0209-00000000F001}6644C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048255Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4938-6140-1600-00000000F001}13242440C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0209-00000000F001}6644C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048254Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048253Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048252Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048251Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048250Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048249Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4938-6140-1600-00000000F001}13244240C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0309-00000000F001}2840C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048248Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048247Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048246Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048245Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.002{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025690Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:51.805{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBBA3872C46141D3892802265A325B5,SHA256=644C4697F59DE98E74CEDFC799CD096AA7B792AEB7CE432E656BAC80D0C6D847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048353Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.642{C8F4C507-62E3-6140-0809-00000000F001}24165212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048352Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.458{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50604-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local47001- 354300x800000000000000048351Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.458{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50604-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local47001- 354300x800000000000000048350Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.437{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50603-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local47001- 354300x800000000000000048349Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.437{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50603-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local47001- 10341000x800000000000000048348Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.455{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62E3-6140-0809-00000000F001}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048347Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.455{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048346Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.455{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048345Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.455{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048344Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.455{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048343Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.455{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-62E3-6140-0809-00000000F001}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048342Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.455{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62E3-6140-0809-00000000F001}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048341Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.331{C8F4C507-62E3-6140-0809-00000000F001}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048340Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.392{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C725C27C03476A2A5AF34578777DD76,SHA256=56C5A28DE9E55E097B387447908C495F4FB97A917E85E310EC7AF4C2384BB629,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025689Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:47.722{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50921-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048339Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.283{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=14CB548D83B37BC9C34FFF7F037CF993,SHA256=B723DD606D60B846D8906E540D436E01A4FE9EC5E52E4C3EF49267B2AF187F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048338Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.283{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE176543C44EB978E885EB77DAFCB769,SHA256=6EBBA66AD6A7EEC95216D6C43A3ECFEC7B50346D4BECEB614F010FAFA2EA575A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048337Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:51.002{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F828AB90F253BDC664214942DD74D19B,SHA256=DF7738A2F7654A59EE124BE9C7338714F4AC2470D79B2222BCC94B4B914B9026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025691Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:52.820{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E5680EF70CC99BE48B97FDC6BEE272,SHA256=5957EE0D955BC86EBB48405BCC5400E1359618F9A77131B962F447F27AE17657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048367Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.736{C8F4C507-62E4-6140-0909-00000000F001}36526696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048366Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.580{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62E4-6140-0909-00000000F001}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048365Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.580{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048364Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.580{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048363Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.580{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048362Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.580{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048361Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.580{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-62E4-6140-0909-00000000F001}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048360Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.580{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62E4-6140-0909-00000000F001}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048359Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.581{C8F4C507-62E4-6140-0909-00000000F001}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048358Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.393{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD7DFE02FFBBE101F7CC27BAA62E321,SHA256=4C1C93CC32EC430FDBEEE4C5B7DD8B917A419841AED3E666080968D5958BC8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048357Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.346{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2512FB7C60571B44618F5343DF14A4E5,SHA256=2E00BC94D8261E7FC427F9A0653A1B73060BBE08A789D8480E3A9858A83AC151,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048356Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.667{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50606-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000048355Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.667{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50606-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000048354Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:50.517{C8F4C507-62E2-6140-0409-00000000F001}4236C:\Program Files (x86)\Google\Update\GoogleUpdate.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50605-false142.250.185.142fra16s50-in-f14.1e100.net443https 23542300x800000000000000025692Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:53.836{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6DF8135E40AAE2132E260191943754,SHA256=314415A75B8E67E8504F914AE559E3C80B1DB0FB2549F4C99DA3B2FBC39DD39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048378Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.596{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00EC7DF5B82B04D426276B412AF6CECD,SHA256=D881E5C9396921689FA23D1CF2DEC6994D3AE5F25BDA70FEE2F5955227C2FB06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048377Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.580{C8F4C507-62E5-6140-0A09-00000000F001}53084940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048376Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.408{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A38EF38E98C2F75896439AAE1B1ABD,SHA256=9D752232EB72FF0FE18FE68B011540C32B8706029B96B1B2C77A97F77E2C9A12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048375Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.393{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62E5-6140-0A09-00000000F001}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048374Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.393{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048373Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.393{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048372Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.393{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048371Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.393{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048370Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.393{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-62E5-6140-0A09-00000000F001}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048369Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.393{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62E5-6140-0A09-00000000F001}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048368Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:53.253{C8F4C507-62E5-6140-0A09-00000000F001}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025693Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:54.852{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488395E80EF5E221CCDEB3A735331460,SHA256=F3E6F36EA0F76795A7EBD383ABB10DD0952C7C3E530F8F5B5E84702B8A4C4F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048388Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.424{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1DF6F7E7A9CB9CCB82F3915F6CC01B,SHA256=6760DB3B70FE4F3F405862452DEFD300214AADBF6B9AD7C5D42C99808C6E5CFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048387Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:52.182{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50607-false10.0.1.12-8000- 10341000x800000000000000048386Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.064{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-62E6-6140-0B09-00000000F001}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048385Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.064{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048384Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.064{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048383Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.064{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048382Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.064{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048381Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.064{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-62E6-6140-0B09-00000000F001}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048380Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.064{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-62E6-6140-0B09-00000000F001}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048379Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.065{C8F4C507-62E6-6140-0B09-00000000F001}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025696Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:55.852{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741B607AB5C1180485C8DB6C96C4559B,SHA256=0DD7AA6C4180A7FC63D51AD53AA152214411C24D565D57B220F84377E542064D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048392Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:55.439{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573BF241667CDA1649578C55CD889728,SHA256=6C22F1518EAE41FA3E25A04E745E3AD0167A758F9DDC092335C20A76ED4DACB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025695Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:52.458{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-574.attackrange.local50594-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x800000000000000025694Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:52.457{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c800:91b0:82b6:ffff-50594-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.eu-central-1.compute.internal53domain 23542300x800000000000000048391Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:55.205{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3367201C08D5198C231F261F96F10FBB,SHA256=6DEBF78DC4FC36DFAD766723E8CCB81DB8E95C94B4A55521E8305A5D84CD4D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048390Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.013{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54293- 354300x800000000000000048389Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:54.012{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50594- 23542300x800000000000000025697Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:56.867{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5314098C7D0CD97E9931AAA859E80F4,SHA256=6C63BE9B12763032BF5ED805A6E0A14FCF1AFD9E2C91DF5D7FAD500EF5E1CC8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048393Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:56.439{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1969C95433CCEFC0A63E049B408E3D,SHA256=7697FD3D6EDCB7848789EA4CEF6CD54846E178D01E2FD2C42E28074B314F71BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025698Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:57.883{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA9ECCD87AE4D5906282482FA006E58,SHA256=650AA37E9D0F368B7BA942E2C11642524ACF0C7AE732F2FCF27E9335DDADF930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048394Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:57.455{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338BA136BA1CAC489342329647D1A472,SHA256=57BC63113C851B833FCB841AA7ECE77403C39D9E67424FD203AF1800A26E9204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025700Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:58.898{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633BF1D6AD9A4EC2E02A6C0B17808DCB,SHA256=C402D54774A757AE05AD39C3A5B4CA05C7A3A35828BC27EDD1E1AC052C107A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048395Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:58.455{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FC94E643DDB57A695648A5269169B3,SHA256=6CD2D987CA99543DE37FA06E075225CB5AE44ADD4317F756B1918B05B5BFB54E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025699Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:53.753{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50922-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025701Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:59.914{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507CEC02BD327F7A50A6E54148AB9137,SHA256=C3A63A9D5A6E7B3D5C6A27949A098CDEEDEA9CF12ED7E81EE13B19D3ADC2EE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048397Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:59.674{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=DEB4D61F0574C91590B9D520F9D79AD7,SHA256=738ACE8F9836DB5BFE2CDA6665DD31F8188978757AD2770724065009F989E142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048396Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:59.455{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85885963073BC2502880541F6ACD5E1B,SHA256=67ED8DE62B5A2A0DDB8DE626ED2F48E85E55299F3A548F5BAF76ACC76E7216E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025702Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:00.930{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA71879B32695E51E1F5DEE606F715A,SHA256=3CABD6884341538F6E096A1255C9757AA0CB69C6E98DF3AEB8DB4BAE6B29E0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048399Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:00.486{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7038C9E05054AAC568D570C76EAFEF8D,SHA256=B7FA72CCC0CFBED7DD25D15D038466BA38FABFC0956100F8B5FADEA4375DA021,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048398Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:52:58.136{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50608-false10.0.1.12-8000- 23542300x800000000000000025704Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:01.945{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A28F36D242BC4C7B68CB6F3F36C3C16,SHA256=4A4CFC39C6C8266E962112B2F56033FB9D72577BD56E35D0C82EB8C7CD12AB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048400Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:01.502{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBEF8B84A661958B5045A076A30AF0A,SHA256=D65D136C88542D174BA56E378B5231BA2E04C30A14200E518A8C30FF1FAD7A92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025703Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:52:58.768{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025706Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:02.961{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07A30BA2C3097654A678A42D4587534,SHA256=E56A175E50B6CF9F730AEAB6A0E1EB51C2F3387684471733F68E593D45B43E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048401Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:02.517{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05275F8CAF4E8EE4D1381416447B4D76,SHA256=795DE6ABAF9976B491BE83C78F85CFC65ABE97D9B58456F81EFDBB894645B0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025705Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:02.601{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4ECE9F472D64618942BA8ACE2B026319,SHA256=66C79E52AB179F784D64806BAC801B9C483F75A2C8D2792618C70F199BD31445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025707Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:03.976{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D4E416F199E32F3FF538E119FA6F89,SHA256=599C158E28669ACF0898B1EB242EBD40764E8C0A3B9B8D39C9447B9994CAC6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048402Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:03.533{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AA4DC1525679474AADCCE9E1701C0B,SHA256=8E740A3ED910B487B35E88644A6118929456323C8561C8B37E9890E0C10EBBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025708Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:04.981{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054F298A7BEB1555866A54A62CCEDB11,SHA256=63DF5104025B5552E91175E7C45E4CBC1575AC509D3116712A0E730FF8B64109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048404Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:04.549{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67357291A0788F386CE92270F411BE4A,SHA256=D5068194F608EDFA1A8E04B87451DDFD66091D647CDE725F36FE980E192CBA67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048403Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:03.354{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50610-false10.0.1.12-8000- 23542300x800000000000000048405Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:05.569{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84014561A0CB6F63A179E385CF61ABC,SHA256=3F376524D986E827F5444F6F062820BBD03E309B64DF40287B03E861335C03ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048407Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:06.679{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-14_085259MD5=0BECF0DFD6DE316F10C7813F89870465,SHA256=1891A0A18144E3CD4FC0BC475A9C3E730E4ACF4BE6DB5540649A2C755B48EAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048406Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:06.600{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17805BAF993F45E997986C8401CCC793,SHA256=2B2FA6FBE568BE3D9D63D27A3AA92623C1FC0AA87CFB863EC9649397D4FE1F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025709Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:05.997{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375EC534E2FF53CDFD54F83401787BEC,SHA256=FF2BB2CD2828D5154C3094A166E853151E73A679E89658F624672BE97B818635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048408Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:07.616{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670625251A5B54DE0C51A73DE89576B2,SHA256=4CE680BB9AC2EB2EBF9C6476BB738FEB9A2884360DF4784F279ED8554899F267,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025711Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:03.773{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025710Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:07.012{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A1C10B3245E9503F79A8C179436B55,SHA256=38C57A88A9907D3A21761C79D667E296A8C08C03FC805E17F3DFBC5425E85582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048411Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:08.632{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BD0E036308C626B574172E74C85B37,SHA256=7DF95A8A332A48384F4CFAA0B8F7577DE3B2A376C4E8AA4B2FE9567E4AB3019D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025712Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:08.028{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1B525BDDA88B3701E6E08573AA5B4A,SHA256=BF1F4D675F2067CADD11F26C856EEFDBAF57376804631DFC787BCB7C1061EFDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048410Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:07.002{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50611-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 354300x800000000000000048409Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:07.002{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50611-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 23542300x800000000000000048437Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.897{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC8C3D03B33D2D78FE1A89063F71B83,SHA256=7C1E1A34DFBF224D4D6F5D106F70E9F4BCCD9AA2FD480502982C21618B6F84B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025713Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:09.044{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97C4FA1104E00D70986391ED2AA9973,SHA256=9537A9AA0B9C2693DE7207888D529319CBB2A1DE80924CE4D10BCDF1E127BAA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048436Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.116{C8F4C507-5C85-6140-AB07-00000000F001}44801168C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048435Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.116{C8F4C507-5C85-6140-AB07-00000000F001}44801168C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048434Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.116{C8F4C507-5C87-6140-B607-00000000F001}33725408C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048433Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.116{C8F4C507-5C87-6140-B607-00000000F001}33725408C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048432Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C85-6140-AB07-00000000F001}44801168C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048431Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C85-6140-AB07-00000000F001}44801168C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048430Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C87-6140-B607-00000000F001}33726824C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048429Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048428Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C87-6140-B607-00000000F001}33726824C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048427Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000048426Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048425Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048424Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048423Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.100{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048422Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048421Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048420Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048419Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048418Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048417Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048416Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048415Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048414Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048413Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-5C87-6140-B607-00000000F001}33727044C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048412Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.085{C8F4C507-5C87-6140-B607-00000000F001}33727044C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048454Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.913{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290BA7B25BF452B301778117FE8C3786,SHA256=F2169A1263057485995038EC993582129C8E75C6281DAEE5C0A87CC929ACA1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025714Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:10.059{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4695F7302C6CD54C7C084E1A1845F52,SHA256=BAB37F739741A6EC30B8CD974B618D9A25E635E93DD438F3CE1EE569CB0BA417,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048453Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:09.171{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50612-false10.0.1.12-8000- 10341000x800000000000000048452Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.069{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048451Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048450Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}33725520C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048449Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048448Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}33725520C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048447Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}3372708C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048446Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}3372708C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048445Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048444Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048443Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048442Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048441Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048440Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048439Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048438Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:10.054{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048457Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:11.913{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBD76648FFFDD02187F69AC8A13F408,SHA256=1EC7C62360D11720D2A636B7F296747410081C823DF268BBDEEF7675F7EBE008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025716Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:11.637{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025715Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:11.075{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014DFADCE23FDE1B7F78E80F75A32A33,SHA256=78BB41EE1ECC6938513F3F2F699B92DF3ECFCE42D4B2655DF0CCD51A6FA69A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048456Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:11.022{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-14_085259MD5=270A81ABEBC5A63C94E189DFD5DE01B7,SHA256=46DFCDE5C3EEBB16364DF634E8BB886F03AF3D3D2BDF6E5D9C14B7572D2DAE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048455Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:11.007{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=2533262BB74A50DE92B3A3BB37075033,SHA256=231EF9F66D87C473CE50C7395F0F737659C3040A506F931FCBA2A34C8512D7FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048458Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:12.913{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702F674C4BAE211D57A9B38924EBE098,SHA256=E5B9FB5BE663878121577BD153FC60D5AA96D1B055D914FB51D815EF4DC2C8D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025718Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:09.601{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025717Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:12.090{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DD812691F5F5D12E7E250C3F107A57,SHA256=4D2C8D7C9EDB9F5CD58D9B97CCBF95D4AF7618847990ACBD72D818CF64C602F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048459Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:13.929{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CAB74EB41C64A49789694CEA152408,SHA256=F07CAF2309146101CDB5E33EC45A4225626F2A81E9FAB36B4EACC68A8253BB73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025720Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:10.179{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000025719Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:13.090{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABE51C9055580465B58BC4B99B73B0A,SHA256=94AC7C550CECB329F1F33EDDEA8A686541ABCAEE458E93F043CD5585204C5F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048465Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:14.929{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533030DDDEA8A20F0C873D163889D735,SHA256=DC018C906C5B102926920488F893BEE56D19FF728B807A3766DC7269CCCBB83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025721Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:14.106{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5BC739AFA458E1435CB53CEB6644B1,SHA256=9A2DB68153EDC285224B16F4FCD3345AB557BCBD76C7967127A7F2EB88095E41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048464Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:14.616{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048463Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:14.616{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048462Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:14.616{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048461Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:14.616{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048460Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:14.460{C8F4C507-4938-6140-0D00-00000000F001}9043476C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1100-00000000F001}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048476Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.944{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2FD8C412CF72AD0F7D5996BA4290BB,SHA256=9B24AB3298E36422E7F23143B1DD8264E78772CA90644E465F9B063EF3AB6866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025722Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:15.106{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABF951948B8828FDADA44FEE9E26FAF,SHA256=187421C21A9534C59A798E2FB36649059906D1DB2E19847959C1E4500C8DB276,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048475Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:14.328{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50613-false10.0.1.12-8000- 10341000x800000000000000048474Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.382{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048473Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.382{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048472Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.382{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048471Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.382{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048470Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.382{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048469Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.382{C8F4C507-5C86-6140-AC07-00000000F001}40445792C:\Windows\system32\sihost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048468Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.335{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048467Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.335{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048466Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:15.335{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000048477Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:16.960{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8D2AE8096FBBBD079A93E35BECCCB0,SHA256=1F76DD13F8F7B6022B8CDBF2DB241D04364675FC2E796F01243D5EC2891698A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025723Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:16.122{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDAFE2CE9E0B300A62EB7C09BCF9ED2,SHA256=139BCB01F2C6172361F3C164A96285C7B312CA301572F3F77C50FFD7C25FF4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048478Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:17.975{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8438DB3E8514EDE233FFA31D50CA31D2,SHA256=F437D29D7340BFE9DDAAB84B5F7930F26C15CCFF73F075EFBED5C75BE729DD63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025724Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:17.137{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225B5C5D83994395373FD3C6CCDF7CCC,SHA256=429EC53CBD0F7DDA774B4FE59EDE8BFF126096F259B033637008FF70E6BD5EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048480Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:18.991{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D363DAC78E5A278F8E7E4695C2C18C8,SHA256=3AFD45CBA0A78265E8B5729C783E6CE7C2CF2AEDD688E60A82EAB603EE9D56F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025725Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:18.153{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D9783648FF1A66E94037D9F9891A46,SHA256=0D3644CB0628A4C03AA449409CC8FA6F75CD68D4E78A93C5926B5296CAAE522F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048479Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:18.757{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-4934-6140-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000025727Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:15.632{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025726Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:19.168{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C957C341F31B77882C4F604FCAE52E17,SHA256=076B04FDFDC5E03198E5A7920BD2DD9FEAC5202BB681BBDFF6B8AEAE90578BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048482Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:19.788{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=113B97747BB26E7C478C6806CE713754,SHA256=5B9AFEADA150F067DB8A4D91F415DA0140A908CA075431FA3F068559DE220F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048481Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:19.788{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8FF227DF5B5C719EDF179E0E327D1AE,SHA256=7FA0B13E61F3E9531387F7B91A650D247CFB7979C42DF6A892BF9C046E7C9991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025728Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:20.184{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF13622DDA92ACA85ABC02A8AB477CC,SHA256=6536B4085D511144CCB056CA481F955B89F61364D232D7BB7708CE14FFD6E228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048488Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:20.996{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-106MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048487Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:18.876{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50614-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 354300x800000000000000048486Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:18.876{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50614-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 10341000x800000000000000048485Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:20.413{C8F4C507-4938-6140-1600-00000000F001}13244532C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048484Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:20.413{C8F4C507-4938-6140-1600-00000000F001}13244532C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048483Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:20.007{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE3366A3FDAC80492C00A4840620CAC,SHA256=A10B3EA6F48F51381D93F3820CE1CE228986D79EBA5785D70DC382FB48EE8B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048502Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:21.994{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048501Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:20.359{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50615-false10.0.1.12-8000- 13241300x800000000000000048500Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000048499Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0064cde8) 13241300x800000000000000048498Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93d-0x9632b293) 13241300x800000000000000048497Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a945-0xf7f71a93) 13241300x800000000000000048496Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94e-0x59bb8293) 13241300x800000000000000048495Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000048494Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0064cde8) 13241300x800000000000000048493Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93d-0x9632b293) 13241300x800000000000000048492Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a945-0xf7f71a93) 13241300x800000000000000048491Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:53:21.462{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94e-0x59bb8293) 23542300x800000000000000048490Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:21.165{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F1C1F4372C084C75546141EAB2186DC9,SHA256=9E09A79C1577818CFC99D8EBF272E9D324FBC8ECFB23FA2E9D1BAEC589FA1C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048489Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:21.009{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A8152CEDC3E2B145FC0EF2DB6E9378,SHA256=F4154D58154DA05F8949E9E0D94F88AB55AFC70F0A2634F7426C4B3A73769D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025729Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:21.200{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E7321813C45E18C0516E5AE7555D26,SHA256=001BD29F991302A5D98685357B1C75EA3450EF813AEB603CA47F039F491C9CF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025757Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6302-6140-6806-00000000F101}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025756Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025755Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025754Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025753Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025752Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025751Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025750Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025749Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025748Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025747Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6302-6140-6806-00000000F101}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025746Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.918{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6302-6140-6806-00000000F101}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025745Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.919{4A7D70D7-6302-6140-6806-00000000F101}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025744Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.450{4A7D70D7-6302-6140-6706-00000000F101}39922092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025743Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6302-6140-6706-00000000F101}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025742Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025741Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025740Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025739Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025738Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025737Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025736Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025735Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025734Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025733Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-6302-6140-6706-00000000F101}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025732Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.246{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6302-6140-6706-00000000F101}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025731Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.247{4A7D70D7-6302-6140-6706-00000000F101}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025730Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:22.200{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3231784A3AFB038F97DBD63BE8655577,SHA256=30226823D03AB5C4EEF6BA613E35E4794D23ADC43CD91FA2B72AE8B33BB85440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048503Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:22.023{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E9FFB216EE85727462D26660325E54,SHA256=AFEDAF5334B2112E98EE8ED57FBB69AB16EA114BF4733D4BB6B275EDC0AB8C2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025773Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6303-6140-6906-00000000F101}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025772Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025771Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025770Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025769Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025768Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025767Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025766Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025765Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025764Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025763Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-6303-6140-6906-00000000F101}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025762Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.434{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6303-6140-6906-00000000F101}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025761Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.435{4A7D70D7-6303-6140-6906-00000000F101}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025760Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.418{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02461CBC331006C3111DC0698C122B19,SHA256=AA7839AF783495EEFD0D6EE707153FCBEEFBCCE683A470229B203F2F497E8BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025759Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.418{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3C1239BC63A04B99CD5AD34AE6E462E,SHA256=BA4986BDF4F4E1C7C49A2ABBDAADC5514C55867455C561A4AC62EB3A9017A803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025758Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:23.403{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7329ACD1F4B0A0098487042BD6DF712,SHA256=79B4C67887695AE3D030E41D018CA28240CEE882693609E7AE53C71C40707BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048504Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:23.057{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD3CD2E2ED161961E3C31E5BC290CC3,SHA256=E6EB471EE3D39ACE0C2D7BDAC18C3FE02C664C13C03592774C08D7AA0CD5033B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025776Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:20.820{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025775Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:24.450{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02461CBC331006C3111DC0698C122B19,SHA256=AA7839AF783495EEFD0D6EE707153FCBEEFBCCE683A470229B203F2F497E8BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025774Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:24.418{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4E0F605C148BEBBDEF17BEBECF7EE9,SHA256=CBF77893F7D7437B17F6BA1C1FE65E6A023521C0F73D3795933B619E902468FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048505Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:24.073{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1CEC216E1B73EE344882A5B4AF7862,SHA256=23FC6F65377462CDFFF6DEA28871BC84A63799052F7E1367F5BF9FE857A06668,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025791Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.688{4A7D70D7-6305-6140-6A06-00000000F101}38323788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025790Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6305-6140-6A06-00000000F101}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025789Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025788Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025787Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025786Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025785Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025784Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025783Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025782Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025781Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025780Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-6305-6140-6A06-00000000F101}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025779Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.501{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6305-6140-6A06-00000000F101}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025778Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.502{4A7D70D7-6305-6140-6A06-00000000F101}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025777Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:25.470{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3064F574211E38321808F638452194F5,SHA256=5DA3E6459BD2ECCE1187980649324A9EC4B44352648E2F34F7D6644E9821AE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048506Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:25.074{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9632E6CB2C201182756519B2F7E1B76B,SHA256=FA0CA537E530AD61552FE105CF5CCD94BD71E7CBD02E464D58D6F0F3AE6495EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025821Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.985{4A7D70D7-6306-6140-6C06-00000000F101}31401464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025820Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6306-6140-6C06-00000000F101}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025819Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025818Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025817Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025816Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025815Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025814Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025813Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025812Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025811Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025810Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-6306-6140-6C06-00000000F101}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025809Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6306-6140-6C06-00000000F101}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025808Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.832{4A7D70D7-6306-6140-6C06-00000000F101}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025807Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA33BD53E1D64A9A7A4AF776A534B01,SHA256=4AB574341829ADE7673B65E1970F1164AA5969B21DE758322266D5A9F57F0874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025806Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.829{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501BCE391F8D982BDF54CD35A9DD3D3D,SHA256=FF77D1C7D29DDAEEDAF30F36630B1B32F6BBE71F959A589A45A1805F26063211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048507Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:26.089{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3260CB2A061B56A10F7593796E6F6EDA,SHA256=BEDEBF530A24CE884BDF79DAE68625817B5AF1B9F13FC42D812255863490F2E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025805Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.329{4A7D70D7-6306-6140-6B06-00000000F101}3803848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025804Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6306-6140-6B06-00000000F101}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025803Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025802Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025801Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025800Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025799Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025798Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025797Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025796Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025795Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-6306-6140-6B06-00000000F101}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025794Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025793Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6306-6140-6B06-00000000F101}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025792Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.173{4A7D70D7-6306-6140-6B06-00000000F101}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048516Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:27.730{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048515Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:27.730{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048514Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:27.730{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048513Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:27.730{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048512Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:27.730{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048511Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:27.730{C8F4C507-4936-6140-0A00-00000000F001}6242020C:\Windows\system32\services.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048510Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:27.735{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe1.3.36.101Google InstallerGoogle UpdateGoogle LLCGoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svcC:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=5A25AEBDD889EFDA40F2A57297A32422,SHA256=60010099B97DA759EF15414B4E73E73C204CD021D9BDFDAF568122863F2DF9DE,IMPHASH=7DF1816239C5BC855600D41210406C5B{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 23542300x800000000000000048509Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:27.105{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C946143FCFCA9950AB2707820EEDFBD9,SHA256=BADDD61DD520CEA8CE39C4644A410D5D9E6B791D63B4A20140CCC46DBBD52EE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025834Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6307-6140-6D06-00000000F101}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025833Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025832Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025831Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025830Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025829Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025828Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025827Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025826Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025825Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025824Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-6307-6140-6D06-00000000F101}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025823Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.704{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6307-6140-6D06-00000000F101}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025822Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:27.705{4A7D70D7-6307-6140-6D06-00000000F101}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048508Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:25.363{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50616-false10.0.1.12-8000- 10341000x800000000000000048531Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.933{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0209-00000000F001}6644C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048530Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.933{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0209-00000000F001}6644C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048529Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.933{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0209-00000000F001}6644C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048528Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.933{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-0F00-00000000F001}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000048527Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.933{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-62E2-6140-0209-00000000F001}6644C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048526Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.917{C8F4C507-6307-6140-0C09-00000000F001}212NT AUTHORITY\SYSTEMC:\Program Files (x86)\Google\Update\GoogleUpdate.exeC:\Program Files (x86)\Google\Update\Install\{088D8993-C01C-4474-AA91-66E53E031F43}\93.0.4577.82_chrome_installer.exeMD5=7CCC73850F1C767E3A3321E12617FB99,SHA256=A5C0CB1341556D8D399E93C6F3BF9591F2F506FB98A41AA5A8408A94AC3E43B9,IMPHASH=FF0DFA05658A149B7B21130A1A8DAEDBtruetrue 23542300x800000000000000048525Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.761{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F1EA5A3979C6FFB3A5E3DDA00F3E9C,SHA256=4185702E4F43331366AB970B5AB062F500FA4A0A47479D1A8A10BA43FC6438B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048524Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.761{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=113B97747BB26E7C478C6806CE713754,SHA256=5B9AFEADA150F067DB8A4D91F415DA0140A908CA075431FA3F068559DE220F30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048523Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.214{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048522Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.214{C8F4C507-4936-6140-0A00-00000000F001}6241320C:\Windows\system32\services.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048521Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.214{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048520Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:53:28.214{C8F4C507-6307-6140-0C09-00000000F001}212\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 10341000x800000000000000048519Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.214{C8F4C507-61C9-6140-8C08-00000000F001}71166444C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+edd9|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+f514|C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe+fa0e|C:\Windows\SYSTEM32\ntdll.dll+21774(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e1a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000048518Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 08:53:28.214{C8F4C507-6307-6140-0C09-00000000F001}212\GoogleCrashServices\S-1-5-18C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 23542300x800000000000000048517Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:28.121{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7390950304DB76B7ED8BD0A0F7E63BD4,SHA256=8815DCB074D93FD4102C5F4E52267095B97806B89094E3B997259DC933557F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025836Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:28.001{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAE87339BA3AFDFA870EF3212AA7A41,SHA256=48B4A75BEB1104AD73762BE86D9383EAD044F8D1AEBCE1400B97691676618826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025835Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:28.001{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A794FD0C11FFAC56B40D396C542E93,SHA256=EB39EC4B5CD0D159B40DA13CD6E407405BCD001CD0B59552CEA8B7C65CA54242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048543Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.339{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5C377B1229D68955B44D733DC03DEE45,SHA256=CB5148F3D2D7DAA6EEE3D4FD7B010F58B6EC1C38B5A6038D12CB4F544D948246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048542Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.339{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=241300145DF836E8FFB20B7A90A5E89C,SHA256=2AA0AD9C3E6583AC1A069366B1F6BD4789A7B06B3F8F7628D10159A19817EC2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048541Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.308{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048540Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.308{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048539Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.308{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048538Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.308{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-0F00-00000000F001}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000048537Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.292{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048536Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.261{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A82CF66460A1DA451FF26AA1138C633,SHA256=D96179DB6848708F04E473A6F723E8B275605DD6C6DA4E477C9C53485DCFF25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048535Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.261{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=14CB548D83B37BC9C34FFF7F037CF993,SHA256=B723DD606D60B846D8906E540D436E01A4FE9EC5E52E4C3EF49267B2AF187F23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048534Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.246{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048533Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.246{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048532Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.152{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE221359AE8E91DA7FB3073B3764A02,SHA256=CAFB91B3C03E39B5EAD3646A1DFD3441E4BBF6C416A3761E4C5112424AFBAEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025837Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:29.016{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8CA343345438A732BD26A79EDA2B0C,SHA256=45DB8259BFF2AE3D97B921C8DA9EEB416203DA08A01851A8B4F584D9D9842754,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025839Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:26.652{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025838Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:30.048{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDA1AE68B09AFD95EBB2D64132C83E8,SHA256=00E84613BD5AB3BE28FBE4E860CE8B3D043909B49FF13297892E4536C0FBB211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048546Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:30.589{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F1EA5A3979C6FFB3A5E3DDA00F3E9C,SHA256=4185702E4F43331366AB970B5AB062F500FA4A0A47479D1A8A10BA43FC6438B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048545Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:30.324{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A82CF66460A1DA451FF26AA1138C633,SHA256=D96179DB6848708F04E473A6F723E8B275605DD6C6DA4E477C9C53485DCFF25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048544Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:30.199{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A518E2579BB98D7F160CB941D80572,SHA256=5446977A3A99AAB0C15A87DF6DF342B9A28544CD33A06B454F26D1BF02D85F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025840Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:31.282{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039C6BE84C79698F7E066F78A7212439,SHA256=7558709CAECDEABE4FAF91DA7589EDF8415B2928FF0C51C409403BCC1A8F8477,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048549Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.385{C8F4C507-6307-6140-0C09-00000000F001}212C:\Program Files (x86)\Google\Update\GoogleUpdate.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50617-false142.250.181.227fra16s56-in-f3.1e100.net443https 354300x800000000000000048548Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:29.377{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50457- 23542300x800000000000000048547Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:31.199{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFDB17EEA5DCD9D2D4E9A577A45E0E5,SHA256=E5091C548D12F6A371F00659DC79B081025EDEF8301E0321B548AEEE212915F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025842Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:32.298{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8CEE597CDC1F1CE4A05DB7F4FC8152,SHA256=3B21A77248AB8558E1D3B0DDCDDC62F532BC076F71D18AAD74C888BF4A0E9D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048550Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:32.214{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3E2E65F7EE7573E97B74B70F675982,SHA256=0E97A79C08F8C3D74FA2227872BED40346897E01C287C52D45C8B317AC636403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025841Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:32.082{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-096MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025844Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:33.312{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881F87BF96422ADC2AEC263AB5965E76,SHA256=74069A411B9FA42962E4B3965B0754DAF3C66DBF7BA2686A97D4C5C71F1091D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048552Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:33.293{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CF6CBA39EEBB4805C3FA308FB880F8,SHA256=A51379044285456A6E0C97F075A46E74CA891B0A7A6C7836FD362EF139ABFAC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048551Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:31.332{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50618-false10.0.1.12-8000- 23542300x800000000000000025843Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:33.096{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-097MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048553Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:34.324{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5781BA2AED2EE1B9B6D87753BB9F91,SHA256=8832FD511C5023409248F4EF3B883DF819FA59A15A67630DA6584EB1A6D55EE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025846Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:31.791{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025845Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:34.314{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA30D76D9FCD9811EBC288CB73E512F,SHA256=AFD1222A48FFE23637C221F1D249B7BF8C63DF3AD3C6CC96F76423B938FD79C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025847Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:35.330{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F17E1717145446D0683BFC916DB19A,SHA256=2DA5685F2D6E977384F6595C1BE04FDF291CEDB5F7E70FBBC52B39FAE08E3955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048554Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:35.339{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99B21E030AE22B6A57DD462995DB37C,SHA256=972D8E8788309864EC09678F01928FFCD88F45975894EF447D5533C8243E2528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025848Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:36.330{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C9D6336A0BE3E6A34D7963C470377E,SHA256=1BBB1835FC71BFA7114A4341AD7CF4D2DE1B1BC6CFDC5C7388C55259BA6E38A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048555Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:36.371{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFD5CB8A3A3EB3CA3D78B9EE4652097,SHA256=DE1B179255973485ECAC05EE41BC919BDEE18E6C199EAD064FEC8549FE06D152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025849Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:37.345{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CF87F32810FA29DEB816DC3A4ED1CA,SHA256=7BFD98717BEDD1AF80AF3CDCAF3E99AD90CF1B30BCB2686CF8B23ABEE54FCE10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048557Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:37.386{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67443411D8B8CDA3ED3B934CF9A401FE,SHA256=D7B46999A12AA057BECC2BF26E341B9C45FAE5529998D1083B0A0E9670BF40E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048556Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:37.042{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048559Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:36.379{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50619-false10.0.1.12-8000- 23542300x800000000000000048558Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:38.386{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCCC7F892ACE6FC6F2971A0A9F0E600,SHA256=C01BE3D2A8D5EE50B31180DF34ED34A3973635225954379E22D91B3B56461C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025850Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:38.361{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFBCD44883AC518A010EF6AC1BD3484,SHA256=F6EF447EA0517B9FBB64FD9AA35C2F8440CAAED3D69C5431B2F7C0A547AAEBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025851Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:39.376{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82F1C2FEB8F7630118D92EC990BBA44,SHA256=B3144BBB553C239A16C036943EDB312D4D10369A4B4817D034E5E5B6F5998A2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048561Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:37.145{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50620-false10.0.1.12-8089- 23542300x800000000000000048560Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:39.403{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF313CB5515F86E10070B9EC43311426,SHA256=35C6ED9683AC0C585099859A910D6ED48C3D13E6FFD7DEF1AD16398B1BE11ECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025853Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:37.700{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025852Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:40.376{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A1E87FEA1124E50BA7714D06442FB4,SHA256=E1087A4770D03A368B481C0D1239EB5284E68502C3DC14F91C003BE5BEBE2F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048562Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:40.434{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADE33FFAA1BEE26E810C7BC5FC0116A,SHA256=6C5B3B78CD8F5BA9920B014A51969F7EDABE01B06E4B24650FE256FF81619A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025854Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:41.392{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70E6008976C9A1093C021CD77AF2BEC,SHA256=4D34193D5ECD479764D1D20DDE33135E6F0A595DE2CA81A4FCE5E7D2CD81BB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048565Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:41.622{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=303EDBAC2B00393EA2C57A1C6A9CADE8,SHA256=B8E5C94061C3CB5B9EDDDB7E9643F07B51D6D7A4DE983E153BC2F3A8F62DA6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048564Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:41.622{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DA7F088B69B7640BBA4009725306CD82,SHA256=31B56FC2C3201B689A3120782E5EC244E824F490E5F00031325E18E1A49C459B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048563Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:41.450{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F29D5CD594D787FEE4207B8C85B336,SHA256=B79AFBA0E86EBDC81C4E258B33E8301A6B127CDC7E0628329F1B57EFA3862430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048566Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:42.513{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D012A030C8414A09857BD19842E7AD,SHA256=9CC4A7E6C88F6DCAD93FC0DE4EF81C9D23E783330F342654C31135B1593F3571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025855Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:42.408{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1A92B8F7A4A0EA24C68C153816B4C1,SHA256=A16EDCA12D1351B3701CDA67ADB39CC0075EFF42F7A9475A12E6DB1F9C1D4D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048568Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:43.544{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FEC635133B2D0B036B55F1C4D6EAB0,SHA256=D22E10BDDC15830DEFAFA391E8DB4272226746F29547E2534F3F008E583ACA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025856Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:43.408{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44CE17507DE160E2A18BEBB24CAE7CD,SHA256=1E5EDC65FF6CEC434571CB9B383858A17EE2D4E6C61907590203645E1CC97764,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048567Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:42.240{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50621-false10.0.1.12-8000- 23542300x800000000000000025857Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:44.423{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A733AC25BD9BDC4C543FBD7AB5C5F714,SHA256=01CF2B2CDD23A415DDEC8D5750023283C0B8EA79B17E26D2ECD08375741A5FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048569Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:44.559{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CCD800A1F75592CC7F826458ED1011,SHA256=A72718CE51E15E35B96BE90E8F261DC75F85783D9C3E71AE00079048EE0C7DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025858Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:45.433{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF7307371704DAD93E145C5A7644296,SHA256=7DB1CD6D1578D088349410906EA6C7C3FD3BBE18F1B119D76336E0801A4BFE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048570Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:45.569{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F311022179D78FF514916579DA4ADE0B,SHA256=05A29EA1791945DFF48C873CA51616D4B13E2C27F2035AEB7C7231338B8FCF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048571Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:46.632{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E84CA8381CA0493A60A382BB21FC1D,SHA256=0AC79344869FF178F07933E2F269BEABB086B4949B4D7B57276C4C32FC03AD27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025860Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:46.449{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6DF8EAF164AF7C81EB59FF0FF7DC7A,SHA256=763994C57916B045881FF6BF9880938B764F5F1109D9F36FD63E76E41D8CC9BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025859Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:42.793{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000048580Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:47.632{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-631B-6140-0D09-00000000F001}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048579Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:47.632{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048578Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:47.632{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048577Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:47.632{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048576Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:47.632{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048575Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:47.632{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-631B-6140-0D09-00000000F001}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000048574Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:47.632{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB0D77080CE05BEB557FDD1111E284B,SHA256=4266DF6E80E56E9FE65D24F4D9966626398398D6CCFED5B7F6B81CBA5DAF1DBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048573Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:47.632{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-631B-6140-0D09-00000000F001}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048572Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:47.633{C8F4C507-631B-6140-0D09-00000000F001}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025861Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:47.465{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FCC90A2158EC30BD79EA067D37E9D1,SHA256=6675B29872A8FA145A9CC755F817980F3C86BC6497A19D9A4F9C0F8ECD94A840,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048599Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.960{C8F4C507-631C-6140-0F09-00000000F001}69966380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025862Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:48.480{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FC0C9398032069B4905B8B27734A0E,SHA256=81DF068755222FB87D65355F3D8FE4736DB319F1F24FAF6C3C8C313331464983,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048598Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.804{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-631C-6140-0F09-00000000F001}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048597Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.804{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048596Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.804{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048595Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.804{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048594Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.804{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048593Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.804{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-631C-6140-0F09-00000000F001}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048592Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.804{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-631C-6140-0F09-00000000F001}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048591Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.804{C8F4C507-631C-6140-0F09-00000000F001}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048590Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.741{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46020083B607B34203A455BD73D457E,SHA256=7C97EFBE475B19E19185D0B7E82B014F5667A0AFC3C72FF6B489F9819AA59B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048589Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.741{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEB3A8B165ECA5D34150AB1451E1D717,SHA256=E9A53307C883947F2D5ABCA4145BD98CCC56168D8B142674365095B958D92971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048588Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.132{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-631C-6140-0E09-00000000F001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048587Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.132{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048586Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.132{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048585Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.132{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048584Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.132{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048583Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.132{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-631C-6140-0E09-00000000F001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048582Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.132{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-631C-6140-0E09-00000000F001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048581Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.133{C8F4C507-631C-6140-0E09-00000000F001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048602Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:49.976{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C923A0B9E5B0059A4D9524AC1707F1B3,SHA256=4BAFE13DEFF4EE35D320C03EC3E909A7683A7493B6F4F8F25CFE2F739EDAC16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025863Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:49.496{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA13FAE0B08E82C9E453B1E234F7069,SHA256=7B06D6FD9E6C88D2711A99BA58AE4CE51C95B02A97EEC6B33D0E8A7798F2E85D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048601Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:49.819{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46020083B607B34203A455BD73D457E,SHA256=7C97EFBE475B19E19185D0B7E82B014F5667A0AFC3C72FF6B489F9819AA59B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048600Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:49.101{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D1C8E4F9EB564691D9914F68E8E41E,SHA256=4FBC787AE3B746D538D85CAEAFDE797EE4B5077A1B29FA013D454A9F7CB1D0F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048604Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:50.991{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4281DE2DF6C8816789D9755CDF00DEBF,SHA256=A7D52D3ABA21A427D5C4489DC2E6E3765781C198FB900C9EC9B6C27DD8F6C34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025864Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:50.512{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42C8BE6303A816D942AC44D7A51F8A5,SHA256=A6D2AB14FD8F167FFC92F9B540032CA9766F69F368447AAC84512C659A7F1B68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048603Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:48.187{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50622-false10.0.1.12-8000- 23542300x800000000000000025865Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:51.527{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD6650133B05507BD40D7C3AB9AC7C5,SHA256=97D0316A1A32FCDAA50B0B627E754A8F213D1EFCD2AA4AD3E4D55D7AE3D01B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048617Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.601{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB7BF7D67FA238328C0FD92D6AC64B6,SHA256=43CB938E3CE833829EB1E7E9A7F435293EF90D137E9A88A13D55773B86BA0166,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048616Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.559{C8F4C507-631F-6140-1009-00000000F001}60126128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048615Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.335{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-631F-6140-1009-00000000F001}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048614Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.335{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048613Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.335{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048612Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.335{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048611Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.335{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-631F-6140-1009-00000000F001}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048610Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.335{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048609Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.335{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-631F-6140-1009-00000000F001}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048608Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.336{C8F4C507-631F-6140-1009-00000000F001}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048607Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.054{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048606Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.054{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048605Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:51.054{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025867Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:52.527{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955781ADA8E3ABA3BB1B333A8A70C715,SHA256=BD63F636552A5D7B82E9C784FC1DCB38A113A6FED65D0B86E8EC574439D4F00F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048632Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:50.687{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50623-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000048631Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:50.687{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50623-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 10341000x800000000000000048630Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.741{C8F4C507-6320-6140-1109-00000000F001}38727040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048629Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.585{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6320-6140-1109-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048628Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.585{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048627Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.585{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048626Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.585{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048625Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.585{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048624Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.585{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6320-6140-1109-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048623Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.585{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6320-6140-1109-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048622Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.586{C8F4C507-6320-6140-1109-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048621Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.569{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048620Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.569{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-4937-6140-0C00-00000000F001}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048619Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.569{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-0F00-00000000F001}364C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048618Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:52.007{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309AAC27AA5BE686513DB9544AFFAD4E,SHA256=928D6DEF4DE16EEDC7E49B7BD7ACA88E94485E82C9C5275DEF038C465D91A340,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025866Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:48.804{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025868Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:53.543{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52993B332C45ACB476B7242966BCA38,SHA256=26CB604C7C205320812C946E8874990CD2EBF7E6E4766BE5F4EE9E4D7259F58A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048651Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.741{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6321-6140-1309-00000000F001}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048650Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.741{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048649Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.741{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048648Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.741{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048647Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.741{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048646Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.741{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6321-6140-1309-00000000F001}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048645Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.741{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6321-6140-1309-00000000F001}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048644Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.742{C8F4C507-6321-6140-1309-00000000F001}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048643Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.616{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F185A0BAF185ABBF224B0879FB6A784F,SHA256=9E6BE437B6C74941801B30006CA55342CA64C546F0E8081EC42541F5CF99B494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048642Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.507{C8F4C507-6321-6140-1209-00000000F001}60085800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048641Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.241{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6321-6140-1209-00000000F001}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048640Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.241{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048639Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.241{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048638Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.241{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048637Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.241{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048636Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.241{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6321-6140-1209-00000000F001}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048635Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.241{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6321-6140-1209-00000000F001}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048634Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.243{C8F4C507-6321-6140-1209-00000000F001}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048633Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.038{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB496B48E04DC3846845B0FA545A75F,SHA256=037E03A3283612BBF70798C128DF94592CA6485D42531926878674A7CDF14C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025869Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:54.558{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0620CFA10CC317C39A3C3DED75708ECB,SHA256=CB75D6910FA34FA523F6793A136F403B135CC8D65F3104FE78E76D5BAEE6FB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048654Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:54.929{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEBAAF4BC8ACD3695769231AACBE61AF,SHA256=0E9465C62433636354E37A48CDA67AA18C68B4CA226A371C656778A4ED7ED15E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048653Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:53.218{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50624-false10.0.1.12-8000- 23542300x800000000000000048652Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:54.054{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9032EFC8FEFB3431B4FFD9A5C5139E2B,SHA256=1FC917BAF64A689D75F8F26B827E4008A5F076C30327E89E27334E99C070B0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025870Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:55.574{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA591F5391B93F928F53D39B978D8A6D,SHA256=951AEA5EC0D2705B54ED087C12E511045D701C31F7731E286090B0654E1FB668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048655Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:55.101{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB74AE72BC3CE22B162A1062CB464D7,SHA256=0B420EAD13F2AD4B94F31022A5AFE44D905B1957FC2691B69341850FD6D98723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025871Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:56.590{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBE17E2325A912BC6E3E7B50A3C0B84,SHA256=FE271E475257B58D2D88914AECEBD800A201429AF31E29C8626C7CE3D996BB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048656Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:56.101{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ABA4203EB312DE016E77C81FA167F4,SHA256=C3B49321FBBC258093935AC1E031AB5FD26666952CC5E5D42A9413EE0768C648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025873Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:57.605{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1794BBF1525B34ACCFD2C2F936F417E4,SHA256=39A16E0F9757D26D15E22A945FE1AAC62C115C720B3DE349E0DCE72665F612DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048657Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:57.101{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057D045CDAD1890FE8175FEE636AC4CA,SHA256=1D0D1E6D31EE11E3FD750B9F3C9079D1605BB3F9817C24B7234A717E9B02DC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025872Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:53.804{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025874Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:58.605{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073DAB821E85433B0E35397C19A70B22,SHA256=023B7FA99B0C8B36896812FC8AD99136E7C2A935730B4321C92969D0E8A68688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048658Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:58.132{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164A1D7161FF6ACA2387FDA1D903CEC1,SHA256=8198B46F04C39A8C16B3C5F77E75AC757DF4D741973821AAFA391AF1CC385F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025875Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:59.621{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3100A60F8B62E6A82129AFA2C7DEE1,SHA256=CB87908429A5DA8F24C277621F074F64A36D878C585D0EF496A5FBED4DE85C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048659Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:59.147{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C662415DA0D202DF0C9E60A6266A311B,SHA256=F3832F924D716EE2F77CA00C64A1812F4D9E2D2848339CD87ABA565EF052E98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025876Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:00.636{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6441E2B99BF055AFBA9BA8D7961842FD,SHA256=896EA8831A8F97D9668C9E605E76E8AEF6F3FE05349E9B5D875BD1229414F3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048661Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:00.163{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA5F731309DADD4B9D052D7F4C638F7,SHA256=F7E16A5D623E3BCE39E9BB11D4E0A171217E029B807703B5B7ABD4ECEC87A9CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048660Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:53:58.313{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50625-false10.0.1.12-8000- 23542300x800000000000000025877Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:01.636{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0242BC9D30EFE6023EF6148683FD373D,SHA256=B641A518581A24845C07662359D0842B67ECC9E7ED0698D3BBD033FB67FECA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048662Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:01.179{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D699B7569EAD851348ECD9A1E720AE9,SHA256=F4A96CE9B2BB31D8B8EF3A8A19294605CB08FDB40D07C61FC27A66764FFF1E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025880Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:02.652{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AA70AA7033E346964F8C5F47042737,SHA256=E04FE9EBA8C252E0617A3ED257AF18EAABDF6651E7257D184C55B2FE0F9B4845,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025879Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:53:59.725{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048663Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:02.179{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2039DEBD6250545E1FE02A6A63C8033,SHA256=79AB9D604EF81BE230E50D79160B9E68BF7788FB834D9197D6F067893C92CAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025878Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:02.605{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=132DD4D669A415D9F8055F3FF48C867E,SHA256=21C6A03F0D4D42EC276249CFB88DCA5CD49C927B6A71AE79FFD956AB0D5D1551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025881Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:03.652{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450AAD25882AAF9D5D7EE500C7999776,SHA256=633D88167453E5DAD30DDAC82EAE5D182C79F48DDB43B48B00E34A4E58DA8D2F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048667Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:54:03.944{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000048666Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:54:03.944{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\43184136-7950-4DFA-B6E0-270A84556376\Config SourceDWORD (0x00000001) 13241300x800000000000000048665Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:54:03.944{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\43184136-7950-4DFA-B6E0-270A84556376\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_43184136-7950-4DFA-B6E0-270A84556376.XML 23542300x800000000000000048664Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:03.179{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B80D6C5051E73820080F5E43B920D7,SHA256=A7D7CD68CD6C44E41AB03E63C4F1ADDB308056E63C2CDE7906470C4FB5188C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025882Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:04.668{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896F0B7BB18A98B6E7E9A8CFB9E72D1C,SHA256=322F48CBABEC2FDE427F607DB11A9BABDCCF45369573F19DC0D2E453747558CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048670Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.979{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB6AE57DAF5148CCF9442487B14E6C30,SHA256=1E0BB1FF29E5C903A12E38F1A101D99FC5100B11850A7183063FD606ACE20BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048669Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.979{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=598D7E5D3C4F01B476EE1A9AD0CB3B33,SHA256=85D44E1B548D9B487AAEEF7A4407DE4B2F05C92352792757024B3C25D4B6CD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048668Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.194{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB91C6120B030E6363A8A6FD4217C91A,SHA256=7E6D6975BB94148489C5CAB118C2CA25B1B70E1611AAC386DA011D522E1DD7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025883Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:05.673{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44588ECAB60A3AEDF3B4F3C25A025F0,SHA256=D8E5B62E39F779BBDB6378959A2946B785376431B568422B3BE682BDBABCB3D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048677Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.086{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50628-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000048676Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.086{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50628-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000048675Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.078{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50627-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000048674Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.078{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50627-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000048673Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.063{C8F4C507-4938-6140-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50626-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local135epmap 354300x800000000000000048672Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.063{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50626-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local135epmap 23542300x800000000000000048671Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:05.198{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F623345F32F94D63A729AC02D79BEB1,SHA256=803AB26AA962ECBABD292DE0626084098EAA2E4FECC8C4EFA9CAB965489E2077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025884Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:06.688{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43A505DF645CCB2B798C7587D2202C3,SHA256=4EB3454BE25E65605766E403F7B72837874A0151068B452C409D4A8B3ECC0C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048678Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:06.214{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B713AD04187E655BA2D13BF3244BF0,SHA256=4D3097D68DDA0CD4A5EA68B7DA1B6B9924183F4EFA9C706D2696359FB9AB67FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025885Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:07.704{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D61034954599BE3C33383B1EA7C271,SHA256=5026A18D9AA02F194445D1DCBB349E5D3AA85690F883DEA827FB836E7FFB11D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048680Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:07.276{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190CEC9004D357A44B8A4639EAA17A63,SHA256=0467103CF7172448255A175E27D9BF3FDE77B463F8D45C32DF0C2A9A8BC04B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048679Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:04.156{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50629-false10.0.1.12-8000- 354300x800000000000000025887Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:04.747{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025886Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:08.704{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEE63C1DBEE8E785AFDB9C524CE0E63,SHA256=A5CF53CA417A00EB4185C041576E9BBC9DA91091FD147E7789D65CAC30CB9299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048681Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:08.276{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E19FD2032914EE866EB2F60B8D5F54C,SHA256=6221D3908B9A7538D05430B5D0DD07068965CF6CC60EAC561E4150C36275FC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025888Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:09.720{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EFE7B5885127BC1BAD0B87AEF00CC0,SHA256=29EF76E1AD5FAEE4FDCAE0D5424FD75030E8A0526526C209733A4EDB1145668C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048682Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:09.417{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF71C802C0024DF9BDB6158BF43BE71,SHA256=980A95C700C33B189F3EAA9C1B0C9569BD356BC464B5A804EBA660C9274C078D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025889Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:10.735{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DCBF4021EB4178BA2C166F4FBA7725,SHA256=1512463958E1643A59F6C2B250030180B57D210C9A782188A81E71FED6B25ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048683Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:10.433{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A2B350C696BE36BE171D32BDB7F478,SHA256=A15D833D3F95D09323B71108E64E600784B2E02937C29848313F7BB03419E72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025891Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:11.751{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95353CAD2727262CE80EECAB58F02C4,SHA256=0CAFC2BE04D30F855D0F1AAD6AA33853EC6F042BCBA06D49CB9F73E61996E26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048685Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:11.464{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EE05771937760DDED81A9AB5CB4AFB,SHA256=40F9BEBDC9FC47A2A3A148FB406ABE52F96F2550044AF03EA06B62BEE218D2DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025890Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:11.641{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048684Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:09.207{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50630-false10.0.1.12-8000- 354300x800000000000000025894Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:10.201{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000025893Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:09.809{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025892Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:12.766{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB552F4C1F763A3D641DCA8DC97E167A,SHA256=9A6F4CCA3877FC5A84E0E390C91CD03F6BD7F957243874828A78E897E9592E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048686Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:12.526{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0174ABEEF1EFDF7AA36A04ABB47DDB,SHA256=7552FC9F1E4F56C9772EDA2ABFC001AB245D2C260152288A6A4D53E7CC56E1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025895Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:13.766{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF8D479E73EDACE3171284C4795E622,SHA256=2BB0A6A74E1F4CEEE1721F42B2D40C693C07BE211CF2F864D8554C7AD7616093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048687Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:13.558{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D33F91E5FFF971D2BF33A2155194D12,SHA256=F1EC50EE1EDBAEAB4768261326BB8755A4B401BA9B0F3100F6453B7B77A587B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025896Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:14.782{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2801D7060FEBA8580F74116A9A423A93,SHA256=F5FA3BCB35F2695869A83F27833274B248754DE12EAEC8311C304B4D1045F868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048688Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:14.573{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3BF575B9EEE770D9C621F3B1639B36,SHA256=0BA019E6A8A3F4B0F94A38A891B0C33461111D3BB419CAE45A016BFB360465B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025897Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:15.798{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8F4F9E019CC1D373E4F43A81DD5B7F,SHA256=2AF3AE36166318E0D7D1B3EFDFD517761ED497F60FB55D1CBB3597D1442A0D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048692Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:15.589{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D133B2F288794A09B6AD46E8B261F11,SHA256=3E1CB8993BA5534ABEA1C7C8F95A69537FC0515667B2E64588BE73205F17D3ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048691Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:14.222{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50631-false10.0.1.12-8000- 10341000x800000000000000048690Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:15.499{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048689Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:15.499{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025898Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:16.813{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A20546C645B72FE42BD06886286242E,SHA256=A6F6A59F40F23DE6E2CC386A5D9005BD5E7BE1D82C619F293F40B7C93AF7146F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048693Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:16.620{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50948E875409A3659B23874235C81C63,SHA256=0559D3D3D830020EDAEE6B3BBA69EACC8CD607E617592791FD40AA333E39D121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025899Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:17.829{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C3D6F72A6F651E1EF0C9CF46733DB1,SHA256=10971E486ED2148E008DF01FCF0EAD4EC33F9325732F19E1ACA076A0BDA3052F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048694Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:17.636{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D281F499DDE536626E44F40D89946D8,SHA256=B98B8EFBCEB02DA8544035B62BED61D89E83164B5C64618448C24EE11D58DAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048695Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:18.636{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18323B42737679E852F13106436081E,SHA256=BEC71138356524A135F95EF0BCAB384079698DE5CD40F3A3D9BD92DB84DE43F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025900Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:18.845{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63286B1CB0BE6F1CAEFCE988632AF94C,SHA256=E081864BA8FFE194B71C85A3160CBEC7173294A0D3913834DB620C3316CB084F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025901Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:19.845{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D83A79F7F25AA67FAC72C6D7BAAC9B,SHA256=863D48DB9D3C592740EBF40140EF61C64D225BBF7F38B2B301D56F4684E0EA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048696Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:19.651{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CBFBD0DE122ABFB0D8F9A1762363B1,SHA256=1DF3CA98EB506344957F4AC8CD245E9D3A2D2B8FCBEE519AED913846F8149755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025903Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:20.860{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2839A6E5690A03C06C0C0EF1F76125,SHA256=1184D662120F2EE99BA56BEA0B7E600743DAE6057B513B88FB02C51979ECD107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048697Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:20.698{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C89C6C7459164AD4F8764D65F057B0C,SHA256=3E062CC0516EC31E2BE440ABBA72A9A4784C2AF8DD19B35A59F6C443FC88AB2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025902Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:15.746{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025904Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:21.876{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E0317FD565497757B70A3212D9C348,SHA256=B95DD5902B4EE96FC88A2443836B86FF3C40C0E94D8F7010201B27072C81D28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048700Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:21.729{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEBE4425EF6CE4BFE594E31E67D930A,SHA256=495E2A4F859009517A923DD866C252138AC1D6E5C80F7A3483751EA3B1C1278A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048699Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:19.269{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50632-false10.0.1.12-8000- 23542300x800000000000000048698Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:21.167{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=47C0D3E73DB7E95B1D1F0C058C5099C3,SHA256=AAB75362732B82B879FCAF363B1D431A2D268D2057E516CFDC5ABF9A5A63D310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048702Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:22.730{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250EFA23ECD7777D913FB2EDA5D6A9D1,SHA256=4A5A211EAFFF597516FE25A9B57066093400FB4E616CA1A5A0C29756B4AE0BA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025931Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-633E-6140-6F06-00000000F101}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025930Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025929Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025928Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025927Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025926Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025925Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025924Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025923Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025922Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025921Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-633E-6140-6F06-00000000F101}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025920Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.735{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-633E-6140-6F06-00000000F101}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025919Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.736{4A7D70D7-633E-6140-6F06-00000000F101}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025918Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.469{4A7D70D7-633E-6140-6E06-00000000F101}2688224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025917Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-633E-6140-6E06-00000000F101}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025916Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025915Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025914Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025913Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025912Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025911Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025910Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025909Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025908Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025907Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-633E-6140-6E06-00000000F101}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025906Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.219{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-633E-6140-6E06-00000000F101}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025905Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:22.220{4A7D70D7-633E-6140-6E06-00000000F101}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048701Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:22.514{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-107MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048704Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:23.744{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3720BB7FF5836A3A001288420D93C3DD,SHA256=3F559A9D9D6DD7E76613421650A35247529812E5458D03EED77A95CF1696F45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025947Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.376{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF0F8434AD9E1EF0E7056E5B82DF0C5,SHA256=BD20DDA494FFE47D9816C36779015C05905C2EB7801D9AC1783992A4ABC6BC54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025946Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.376{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E60D6F2DBE85FFB92D9D5929941B570D,SHA256=DF9BA466A505C2EAB2F9B41C3FADB2407CC7697C19BFA506F674D7EBC3F708E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025945Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.376{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A504892826B50E4B8FC803BC7E4DA17C,SHA256=E3D3A69D1D60935BEB2168141FCA73426B0E4ADE0B0D6125B7AA5076A14C2EDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025944Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-633F-6140-7006-00000000F101}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025943Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025942Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025941Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025940Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025939Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025938Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025937Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025936Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025935Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025934Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-633F-6140-7006-00000000F101}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025933Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.235{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-633F-6140-7006-00000000F101}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025932Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:23.236{4A7D70D7-633F-6140-7006-00000000F101}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048703Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:23.513{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048705Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:24.757{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1EB8C0148C1D6A182E8535847C700E,SHA256=E9EDB84C6F820A6E124965B0A6EABA175FFAAC7B9B06FDBEF0E6390A996D6995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025948Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:24.251{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6184C6837276BEBB10250432D644784,SHA256=A003310F0B86A46F0C524088327042C87F831F73F4EEDB9D03881C371C564C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048706Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:25.804{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5BE91A64C7FF38DFBBACB4CFA1170C,SHA256=48142244DCFDE9393617B3EA79F1328BBC647262868FFBC9FD7552E8C8EEE8EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025964Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.684{4A7D70D7-6341-6140-7106-00000000F101}18002724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025963Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6341-6140-7106-00000000F101}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025962Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025961Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025960Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025959Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025958Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025957Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025956Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025955Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025954Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025953Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6341-6140-7106-00000000F101}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025952Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.512{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6341-6140-7106-00000000F101}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025951Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.513{4A7D70D7-6341-6140-7106-00000000F101}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025950Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:25.371{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8799F7FFC97E90AE4D8512EF4B8B30,SHA256=A136DEFF0C21C8E1A032F3E9781B08475CD276A2C9CE85EBD4E1C28A30E78FCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025949Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:21.683{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048708Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:26.820{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82879E9236E3C04A3F04EED89889536E,SHA256=B480CA5CE7382C5BE8AF0533FF2B1ADEF7A80BA8DB14099E480FA8FF25626D9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025993Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6342-6140-7306-00000000F101}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025992Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025991Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025990Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025989Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025988Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025987Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025986Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025985Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025984Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025983Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6342-6140-7306-00000000F101}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025982Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6342-6140-7306-00000000F101}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025981Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.796{4A7D70D7-6342-6140-7306-00000000F101}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025980Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.793{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9334817D95004C7B298735EAD2ADB82A,SHA256=A31AAF8D4AA27AB35839B649992B17DE5611F978E428593F4CCEC36139E4DBEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048707Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:24.318{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50633-false10.0.1.12-8000- 23542300x800000000000000025979Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.528{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF0F8434AD9E1EF0E7056E5B82DF0C5,SHA256=BD20DDA494FFE47D9816C36779015C05905C2EB7801D9AC1783992A4ABC6BC54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025978Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.387{4A7D70D7-6342-6140-7206-00000000F101}19202644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025977Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6342-6140-7206-00000000F101}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025976Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025975Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025974Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025973Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025972Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025971Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025970Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025969Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025968Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025967Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6342-6140-7206-00000000F101}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025966Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.184{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6342-6140-7206-00000000F101}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025965Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.185{4A7D70D7-6342-6140-7206-00000000F101}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026009Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.996{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDF0723AE01BB31491DF7F5CC56D267,SHA256=D8DBD1ACA9BBDE51B9AFCA9F776FFAD602D654893ABF04910939BE30164DF167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026008Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.996{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E2F893ADB31B5A82B3F836439A666C,SHA256=6785F3B2D1776350E3588A68FB3D9921F0B8795B247570F2CB53858FFE49487C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048709Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:27.851{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E39848F92DD146311ECA94845F27738,SHA256=9FE8A46D2035E483DD2A3D1D4E945A100760359DE76643519A0452D362409994,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026007Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6343-6140-7406-00000000F101}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026006Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026005Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026004Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026003Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026002Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026001Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026000Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025999Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025998Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025997Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-6343-6140-7406-00000000F101}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025996Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.699{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6343-6140-7406-00000000F101}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025995Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.700{4A7D70D7-6343-6140-7406-00000000F101}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025994Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:27.012{4A7D70D7-6342-6140-7306-00000000F101}25962760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048710Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:28.851{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700F0ADDD7FEE6A02A06B7E245C9A2BF,SHA256=87680C4FC3EDAE2D7A234F383272170CF0B9BF7F2A43BAE1DE80B67919F165B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048711Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:29.882{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB6BB4CCC32E19E72AA4685C7C7C6BE,SHA256=50C1F961E3610953D7AB8B9CC2CA8DE4AAA53F9521DBF3DB48AF84A8D9BEB9A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026010Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:29.012{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A02E3C7A9FBD5EEDB36AD3EAF33CBB,SHA256=E4876ABF1A4F2439FDBE9BB3D05D6DF1018C4D120FA2D0879B0FBDCD803846B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048712Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:30.929{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B01ACBDA44275EE4DFB8D62A6DF291E,SHA256=BBFFCA133E78E9662EFB8ACF0B25EE71FB1272F1350396AC4AD5FFB4199E39CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026012Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:26.726{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026011Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:30.137{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB6A79BD4F3FF2ACFBB4B4741538F17,SHA256=E679108EE835E5CC6BEA43ABF23C41D8CE80AF3210EA8642685A7BA4CEFF2D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048714Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:31.961{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D039A835501C4B9408C6EF5104656783,SHA256=8CDE19AE30945E0BF54DD4498DF8DA4F70959FF89111850BBA44E953A5C74FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026013Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:31.215{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3488AD148212383647D35EAC9E8DE32,SHA256=CB709DD9B55B2372BB3CA7F4B7EE9CAC1D492D23829A9D5907581C3691A6AE61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048713Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:30.282{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50634-false10.0.1.12-8000- 23542300x800000000000000048715Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:32.961{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46706CDCAE929B6C3A33AD384A806FBA,SHA256=55E11F947AD6DE0D1026598498086EDC3D6A173467D687C29FC5278DCE1BE7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026014Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:32.434{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8A28A86E43D4C0019A0AFEBF27CD8E,SHA256=9006E2970BAB80119587FF5AC72F5E2C4075A1B5C9634C1575B8E22058653185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048716Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:33.976{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E0E838684CAB0A8ECB2BF87C6791F8,SHA256=A1FA851C05DA2004DD1AC65F566063820145C78F5867A01B4113457F7EC8FA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026016Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:33.625{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-097MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026015Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:33.449{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE39EA626661CDB662711CC28BDC653,SHA256=63AEBE38E81882E6E187B3E2B02729DBAF71E7BB46F0C56D7C887CE0A93FDC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048717Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:34.992{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C295326ECF0B1AE3989030B09900CAA9,SHA256=ED8D2ABB7B61157FC35E68221735FCAEA15D5A8B973CDAA29536F2A7DED9E4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026018Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:34.636{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-098MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026017Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:34.604{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF1B304F565802D94DA97A5673753E5,SHA256=C1A0C5D59B27753DD6C5438D992EFA26459136AB9FDAB90D7C742235D7F67F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026020Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:35.620{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EA6777B1524F7F9405B3FC5B214A83,SHA256=9F3D1C242F265B8AD1AEA48E514549EFAE9F40966680B456AA5E969EDD101BB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026019Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:31.773{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50942-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026021Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:36.652{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80D72CA06DB5C2B5DA52A02C9155FD1,SHA256=A718133C6F708AABC5041FE6F8A8CA6DC29CCEC7F7EA4E3536CFC454D1F20A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048718Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:36.039{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC9C7359D29C51CECF0B22A7C5D9F4E,SHA256=1A3D881EAD5FC48E2DBE0DA02FABDF3F23FAE8F221CFD4551DE51DF9741A8058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026022Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:37.667{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9823A65A72D6A8FC22BD81AB9B33DFA4,SHA256=6FDC9AAA16CFAA83D21F8F3B7270F07C8C899C0738213432D7E7922E37ADA945,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048728Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:36.281{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50635-false10.0.1.12-8000- 10341000x800000000000000048727Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.148{C8F4C507-5C87-6140-B607-00000000F001}33726300C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048726Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.148{C8F4C507-5C87-6140-B607-00000000F001}33726300C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048725Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.148{C8F4C507-5C87-6140-B607-00000000F001}33726300C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048724Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.148{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048723Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.148{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048722Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.148{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048721Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.148{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048720Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.070{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048719Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.054{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2159FB19CF2CB708ECD27584D0D1A75F,SHA256=B3D4CD8FB36B14C1790DEDA112ACF48FE0310F300F91638F113729807E769BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026023Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:38.683{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FB675323610355EED83BB4C452A0AD,SHA256=F7A9396EE57BAE8130B784FD164C4D42BE01A0D00C47333859E5F2E5316480E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048729Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:38.070{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C85AE86191F065ABC1ECFDA33E6B8E,SHA256=AC5E3D439DEDD8072BFF9733FD32C5782337C3AF83CA1D93B1E92AAADDB79329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026024Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:39.714{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C4B5DA9C169B109440943EA9D482B2,SHA256=F242401DFDB64C82C0887B79A116D103A6EB7E7C786EA975887F5669CFD201E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048731Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:39.086{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5CA15D376E05F287712ED58934AA99,SHA256=3BEEFD3BC2062598052C4B14956DF439A13E42651546A3399F468949A3E62849,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048730Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:37.172{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50636-false10.0.1.12-8089- 23542300x800000000000000026026Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:40.714{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CDC43AC4DBA31A744AD5FC3AFEA6DF,SHA256=1D58A07B51BB9A66B523D58753CF743E26B8F037C802782154219A0049D2E81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048732Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:40.101{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BFF521324A37C42CF91B84AA13B5CA,SHA256=1FBCF444951AD1EEBD63E0C651DB9A9F68CAF430674CBD2C18B79027F51E037C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026025Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:36.819{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026027Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:41.745{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24639391F19617B4C1DDEFC23570B608,SHA256=B576D12265E8F65C4C5775073EED299A2A429D430145478576134DA3E472CFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048733Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:41.132{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C76727DB49D35702A6F56598884A98,SHA256=ABB47D6BC16152A4AEF84B4E62FE682BECC7582B02301BE93FF4963B64F17649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026028Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:42.792{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCCDA502F1A0E0505C0543C6EF17468,SHA256=D60A282EB1B0FAC8A207E1729C90F3B0343F8F9CA7CA51B7F31794C286320CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048734Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:42.132{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3B630A20362A918520C8D6FFAE2AF3,SHA256=F2133885C3A9190110E6E96B1B7A070D1E8E09160E7FD183ACF029BEA33241F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026029Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:43.823{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E63B26B6AEFCCBD0E2C60B620B7A86,SHA256=031EAB42ACFBCA0CA7B35B9F1EF71789A6BD8A3589C73C0BD005C44E4CC6147C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048735Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:43.179{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B4686A6A99F6EB6B3F3AF6CE3E540B,SHA256=CFA2227F605BF2D7A9A6EC69C71656A37D3AAFCB1AB6D98AA63A9302874E0E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026030Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:44.829{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BA77D2A0D09C3B97C07C1BAF6615F3,SHA256=861ACA52024C16AF660ACC5A8F827D3B43861EF19EDB4BFD72ED7194109B3447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048738Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:44.824{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=761FCEC89AD70EACF6557581D97FC00F,SHA256=434A72CBA380A722DF36E4E33B756CE2D7B9C1ACBC65F5B191E8461A3BEA75DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048737Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:44.179{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0779ADE353F87BE79C171031A1BD75C8,SHA256=44FF6EE8F0F17E8CCA2546878B4890E723B5A2EBDF7B2D84244F7C4084BD37FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048736Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:42.281{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50637-false10.0.1.12-8000- 23542300x800000000000000026031Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:45.860{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901F9B71A9AFCC88E1F6EA27EED2701D,SHA256=4F31D601F4432D69B4460FF6588C68254CCFBE13806AAF211E187FD8C68E2A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048739Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:45.184{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BAC360ABC8D65BFF622D34896F201D,SHA256=C3B6009959F305A96E51EC09800C70B97A96472C12D835FFCFDD382B57C565AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026033Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:42.725{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026032Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:46.875{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C7F58BB4BC70420E7DA8DC59E4AC9D,SHA256=4DAA1EA4052B1CCDECC7E78C5FD84AAD42BEEA6D5D609DF1510A15A22D6117BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048740Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:46.199{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354A6246480F268657E013D1F545B5BA,SHA256=039AF9BAAE744B3C1A7B8E36E342A0DD28045EF89D21ADF5FB2D27B0CB339340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026034Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:47.922{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98ADD39EB5E262BE273274ADF03A726A,SHA256=9F1AE9290831480150C785C42BF84A8B601598EC8A9E47C94B6E5BA4C342E6B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048750Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.809{C8F4C507-6357-6140-1409-00000000F001}20441540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048749Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.637{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6357-6140-1409-00000000F001}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048748Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.637{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048747Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.637{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048746Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.637{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048745Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.637{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048744Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.637{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6357-6140-1409-00000000F001}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048743Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.637{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6357-6140-1409-00000000F001}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048742Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.638{C8F4C507-6357-6140-1409-00000000F001}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048741Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:47.246{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30490F398558B5E06D96C66014BB79C2,SHA256=325A01C63B19D650E39009C5A64FFF928601B5E0B55B3F7D2D41C4F86487CBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026035Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:48.938{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653563514D127DA7A590E4CE63D34329,SHA256=0D2C9C388127817A83E231FE5F2F382CDE2E19485C48A26F5A4FCE3459D2441F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048769Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.981{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6358-6140-1609-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048768Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.981{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048767Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.981{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048766Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.981{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048765Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.981{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048764Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.981{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6358-6140-1609-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048763Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.981{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6358-6140-1609-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048762Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.981{C8F4C507-6358-6140-1609-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048761Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.668{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=078349B52DC27394D5417C8E13432CF8,SHA256=52AE30976299B556B306511BD4E302436000E39739D4820E824BF824166882B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048760Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.668{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB6AE57DAF5148CCF9442487B14E6C30,SHA256=1E0BB1FF29E5C903A12E38F1A101D99FC5100B11850A7183063FD606ACE20BEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048759Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.309{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6358-6140-1509-00000000F001}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048758Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.309{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048757Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.309{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048756Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.309{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048755Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.309{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048754Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.309{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6358-6140-1509-00000000F001}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048753Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.309{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6358-6140-1509-00000000F001}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048752Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.310{C8F4C507-6358-6140-1509-00000000F001}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048751Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.262{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135A4E2CA492BED69C2851CE5C643615,SHA256=63699DBA02202A82AB39433094958F6BC0C2069E9850FBAEC13EA87C14ECAB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026036Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:49.954{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7CDC196E8CCBBFE8091203F6E318A9,SHA256=8A5BF4603FAC2586DD8B35343DC9ABFA8CBD5CD6C4EB8AB1E2870AC6AAB0DFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048771Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:49.996{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=078349B52DC27394D5417C8E13432CF8,SHA256=52AE30976299B556B306511BD4E302436000E39739D4820E824BF824166882B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048770Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:49.278{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F557C9339D38717F660212F1BDF3347,SHA256=237D4A42846330698B849015245DCD377A925FA495BCAD205422DD74E7573EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026037Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:50.985{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531D51BDA8FCEDE6AE20C45E2B70AB51,SHA256=85BF4DF788A361BF08E43775870B3BA40B7D14748A37CA70F2D0B2FF10C31054,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000048774Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 08:54:50.449{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x800000000000000048773Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:50.278{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3538E295A20CF20C2B1B7BB2B46E296D,SHA256=3EA3CBAC6F535CBC815EA5EDB80F4B2268EAAD32D4F2D05232EBFE6D00CD972D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048772Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:48.145{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50638-false10.0.1.12-8000- 23542300x800000000000000048787Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.637{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=356112CD2E6AD9C7429600AA36662804,SHA256=0CF800BA25A252620168E912F3708E373F7AF24A64571FD5CF73311A101FAA67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048786Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.481{C8F4C507-635B-6140-1709-00000000F001}68285868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048785Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.465{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C3D426EBC8DBF898356A160D89C161DA,SHA256=FC6466C79D401A9D2492556C67539EAEBA585077CF50C320BEE391BFA065D63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048784Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.465{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=303EDBAC2B00393EA2C57A1C6A9CADE8,SHA256=B8E5C94061C3CB5B9EDDDB7E9643F07B51D6D7A4DE983E153BC2F3A8F62DA6DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048783Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.340{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-635B-6140-1709-00000000F001}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048782Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.340{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048781Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.340{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048780Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.340{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048779Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.340{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048778Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.340{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-635B-6140-1709-00000000F001}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048777Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.340{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-635B-6140-1709-00000000F001}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048776Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.341{C8F4C507-635B-6140-1709-00000000F001}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048775Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:51.293{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F31B418E0B27F2647A57992C62574F,SHA256=E997856BC415989063D3621D43FE90FB3A1D42ECA6ED736BA7363C488F3361D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026038Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:48.605{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000048799Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.762{C8F4C507-635C-6140-1809-00000000F001}57964564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048798Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.574{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-635C-6140-1809-00000000F001}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048797Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.574{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048796Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.574{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048795Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.574{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048794Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.574{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048793Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.574{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-635C-6140-1809-00000000F001}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048792Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.574{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-635C-6140-1809-00000000F001}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048791Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.575{C8F4C507-635C-6140-1809-00000000F001}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048790Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:52.309{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06FCC49B9DA0ADE4819FCC7BC9ACE82,SHA256=4B1EC03A4B797C402F6D5AC07B8E797DEEE0D65D15C62A7750E83A6B3B7769AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026039Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:52.000{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3A1E4FA2091D8F1D4CD27855B81C42,SHA256=3D16EAB10F5CCCE4C287866F3DB98C3F5DE02C9D4051038009FC777BB4F7C554,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048789Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:50.692{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50639-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000048788Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:50.692{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50639-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 10341000x800000000000000048818Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.918{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-635D-6140-1A09-00000000F001}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048817Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.918{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048816Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.918{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048815Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.918{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048814Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.918{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048813Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.918{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-635D-6140-1A09-00000000F001}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048812Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.918{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-635D-6140-1A09-00000000F001}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048811Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.919{C8F4C507-635D-6140-1A09-00000000F001}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048810Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.574{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62FCF044A175DB8C4897BBCAB3324CF,SHA256=64D0D238B586A88B5B3EE9A83F32614E9E5428373A90DF5CE1D24CB2BC2E7DF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048809Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.434{C8F4C507-635D-6140-1909-00000000F001}63442844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048808Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.324{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D59C12BF62827BA0BD09E6BEDFF8926,SHA256=B98594E587007BEF972E824BA13CFCC209653313509E6B05ECAE757CA6D52A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026040Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:53.032{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B104DBC21B3D228B14395D57F4C00744,SHA256=4421260CB8DEBE51D7A4C7583219A67E9F6A3F7FA48503719BBC43D6A61770A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048807Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.246{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-635D-6140-1909-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048806Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.246{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048805Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.246{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048804Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.246{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048803Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.246{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048802Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.246{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-635D-6140-1909-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048801Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.246{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-635D-6140-1909-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048800Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.247{C8F4C507-635D-6140-1909-00000000F001}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026041Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:54.266{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F336580038FC7D0988B4FEFE0BE1BE93,SHA256=563C25997621510BCD781EB18670EFF43B89912DB105573EA9E6B8DE3173D057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048820Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:54.934{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E21E18ACFC322C43BB4D79B049B05CB3,SHA256=04AD35094F9D1D8B9A38BC136714E48854F1851F75EE9D4D5B4221133E72F093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048819Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:54.324{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937C99A9771BCB72460D602A6F3F07FA,SHA256=EE30B5CE84E5F07C14948CC010BBF43061EEE10E3516CD559702F04B49833BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026042Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:55.344{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6005F14B20BA2123FFD14053EF2B71,SHA256=2CD40267C2D420C224FDBBA6668A39ECBD3AA052035DAF2B414166737C6545C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048822Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:55.340{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D372738801DE905A8F56333C8C95F63A,SHA256=E77F6B2F79C3ED54D1BD0A7DC171DC07430CABF73E7FBAF191730E066F8156BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048821Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:53.208{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50640-false10.0.1.12-8000- 23542300x800000000000000048823Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:56.340{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76BB58EEDCC4A7D5218B7158CDBF358,SHA256=887459C133B3060DEC9E2EF0707052896C0BA69213D43A33AE36FC4ADD626BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026043Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:56.360{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C32CCAE6CB9F2ABD4FD5174735D4FCC,SHA256=390DE1CF09C21E1EB2FBB906CFEB2D6525C61F6EED1F9D351E401646F3AC6753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026045Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:57.375{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A396C60C6CA571952D8540970A0FB1,SHA256=D3E67002F045B30A6C559CC47F54BF549ADF6BD8478EF31FC597E5D3D87AB588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048824Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:57.356{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61C8B0DDD62014A6042E13C0F43C88D,SHA256=0DD3C3F7D8E5F799394F88DACB3785D19314C97E976D8527DB5395C853BF4BB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026044Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:53.777{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026046Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:58.391{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DD0F18A35E53C5FD77279AB757E07A,SHA256=72CCC3788F8F327B09A6A98D64D0B8731D8854BEA4819F3F2812A8DF8B9A661D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048826Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:58.856{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-14_085444MD5=76234E78C80D37636B52EC5B4F103E9F,SHA256=D3163290D47FE210877C7876C4F772715A13A2E84A0BE4C1AB6A3BAEAB6282B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048825Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:58.371{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0A3AF4B28A28F10343B5D27BB8D638,SHA256=E5113AD83956F5F0DC5220B856B9FA5166B376C369E51CA8FEBFCB306F0E0510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026047Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:59.406{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BB9E63E2BB0D0940A10F4999AA4455,SHA256=2AF53EA0AEF744EC90843DEB68D62365C668F43FE06D10DE52F69EF3AF46C73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048827Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:59.387{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC392FFCDE8804574378D2749841EFC,SHA256=F1388DDC04F6A6437ACFA9ED9BBB0FA2C870381D1120250BD6BC3A3FBBDB5757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026048Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:00.424{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F350DAB61EA3735B07BE72A4810D746D,SHA256=B832C76BF729C8F73ABD2DDCA5ABB1A0D0A04AFD0F62705C95664394BF118FD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048829Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:54:59.208{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50641-false10.0.1.12-8000- 23542300x800000000000000048828Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:00.387{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E1B736C469FC0E4C22D4375EF2E7F4,SHA256=5B01217E632DFB5EC9E0AD6C2B7D92DE8FFEE34E3E18C0DD822C32BDA4483A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026049Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:01.438{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E23A3DADD3A6F91223A44DE5D69D62,SHA256=B8C73CACFE19452B78ED76772BBFF9700374C8AC700703DA8BF246A0C05C649D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048830Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:01.387{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF6E44D60B8AD0E6503FB6A8EC4B5E7,SHA256=CD0051D24161D92DE66214AD7AB417BE7A7F8BBA7461C9F79CFC63AA4229D01B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026052Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:02.610{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A6AA9C901BE132BA36117F2083992A86,SHA256=B17142457B9629F6B2EF130FF69A3525B3B694B859EF0D36A15A4664FBD0555F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026051Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:02.453{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36B6B0E9919CF0C796779A5FCA3F2B3,SHA256=97FFB153BD136536E2085BC1E97EA63C71A74E8EBCF2A2610F5DB4F597AF7583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048831Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:02.387{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAE06CDE2A6D35B8C230D39BB7F629E,SHA256=ABD6CCF99F22AFF2E90A427100AF5FA4C5215A38EC2268DD9A2D99C377E3C743,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026050Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:54:58.792{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50947-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026053Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:03.469{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C346F0694CB7C16733B11129565B2FDA,SHA256=9CA20F8A710CBF456B43273D3F1C29BE40B8E1F2EE7E8A19ADD2EC827CCA2319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048832Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:03.403{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A0E60D5BA97AE66C6D2C2DD42F22DD,SHA256=8185F5F2D97CDECAC2737125154B0E42935289183DE91CA56EE4AF54252BF688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026054Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:04.485{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24611B9A99DBB7D6C6105254FCCE53E5,SHA256=4F9508A2D99A14B4DB866D2A8F31438650E1580613DEBD89F6B284D9498DE091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048833Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:04.403{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50AF343599DFF474FDB50131D90D3AC5,SHA256=C1C0330AADF48D4F67B51E7180551C40E3BCEE0C96DA2DE34AB71A04B6203DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026055Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:05.489{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52152826300A4D853EEE52B623121A5F,SHA256=2EE4F3B5B24BB98C9B9A82F7EC414EEA27B9FCD791D1385949B1643A7E9338DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048836Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:05.642{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-14_085444MD5=D2F6C288122889AAF38DB0F56BBE4B46,SHA256=260BDD330602AD733CBE7DD04572260E7AE9D96338A0197BB7D57265A01133C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048835Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:05.626{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=4CBDA121B43167112EA5BE1D0963D970,SHA256=F448FB0EBA64B62B28227E49FE43520ED1C04F2F5082297083B094E5D128D77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048834Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:05.407{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FEEBC769C6D8CF2B125B3087D53D0A,SHA256=AF30F1B654D1B69B8BD27C7EC011FC2D3BDD4C6D204742592526146A8C3BB724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026056Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:06.505{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F69461E95D9A36B575ADDDEDC8DE9A3,SHA256=9F3B463591F128A78FC4AB655ED14A50E1D48A493E396C422EB08669EC155B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048838Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:06.704{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048837Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:06.407{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51449F5C42913FBE1FF3F656A2EA9272,SHA256=25F40679A364F60BA5FB0AA1AE0A878B6652CBE0579E18948E6DE013286EEC92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026058Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:03.813{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026057Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:07.521{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3D8726805A52EE36119CFA20DEF6F0,SHA256=C40035B236D7FF36541CA55AF72CEB776B5F85A4BB308F877BA08EE299B40F8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048840Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:05.181{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50642-false10.0.1.12-8000- 23542300x800000000000000048839Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:07.407{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C23EC365C9DABBE0A4AB75F80ED316A,SHA256=109F87A6A7BA0DFAAA712ABE5FC2CB29EBC3DA549550A0C2451D3922F50ABB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026059Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:08.536{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7646B8299DE24B9799A6E993CFC351,SHA256=1CC9C314EAE7372F19BE69021FA8C31106FFE88634EC70FF9AB56E39FA39B93A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048841Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:08.423{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72392311F927A27B65CF97E9366154E2,SHA256=F255A30E478E29049989FB2C71FCECF27AA00514E37AD05727F9068436335E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026060Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:09.552{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5164D7577C3B4DD4654B77FCD825EF,SHA256=19B29285E2A209C0A7BC15986F86D8F93C34CD77BA54AB818740C6960A24AF58,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000048844Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 08:55:09.598{C8F4C507-5C87-6140-B607-00000000F001}3372\UIA_PIPE_3372_000012a4C:\Windows\Explorer.EXE 23542300x800000000000000048843Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:09.439{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCDC2088995DE4527643D28A12795035,SHA256=8852487A18E51D7B2206F50E013FB092E42C57DE1D33CD507AF85437EC32910F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048842Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:09.345{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026061Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:10.552{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579079A1B72996E5CD3E03F94B36C6C3,SHA256=E96D0A47BB0E056EEDF52437A5C628DC0529BAB7C58C37A1D2D76CCCF4114158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048880Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.595{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA17D901BEB9D397C538FC060D3C7AC1,SHA256=6D7995C5CBBB9D3035F585B96A46E061C7FCD00540C3ACD8A7754CFF49F33164,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048879Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048878Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048877Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048876Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048875Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048874Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048873Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048872Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048871Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048870Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048869Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048868Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048867Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048866Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048865Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048864Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048863Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048862Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048861Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048860Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048859Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048858Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048857Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048856Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048855Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048854Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048853Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048852Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048851Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048850Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048849Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048848Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048847Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048846Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048845Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.079{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026063Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:11.661{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026062Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:11.567{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC910D9EFB0A9664A438BA9BB033F68,SHA256=C2F0F58BA9E631355BBAFA25B99ADD822EE8901F6DE4878B6740F7F1A1982615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048882Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:11.611{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F93080570987542B12DA91D79718251,SHA256=CB2D2E821CB83E40A766A4AB0A25C90449C7ADB62B55C87D47F9E8F55658AA70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048881Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:10.260{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50643-false10.0.1.12-8000- 23542300x800000000000000026065Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:12.583{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CB128B3907BB0F410E5211E80AD3B6,SHA256=95A7D578D6D6596D4F9D28A8E4CEAD7768EE71201FF74F6A6844371728F6C12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048883Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:12.642{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274CD90E580727EBF383855D8EFFB881,SHA256=872A0AF4B267DA3FDF4ABD43C4001B98CC28ED39D65254EE7571EE5D09423F52,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026064Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:09.578{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048884Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:13.642{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E9D41EB26531F6C898F13EF8ABDF9B,SHA256=343E2DDED3C5D15C80AC6C5F7218570B3FD44DE884DD51E58B4DAAA65340D123,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026067Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:10.203{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50950-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000026066Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:13.599{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A765493C1D9D66425DBB49E92142DD78,SHA256=DF25D371C548D32A3E7FF62EDE17114E9896B0989B36DA8F0E65E550E31ECD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026068Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:14.614{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AEFA4F09268383B5A0BD60F5D30776,SHA256=E8F8E7FA394813A57D154973C99458B779FC7EC1CFA80B56FD14C3A8113105E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048885Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:14.736{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C071BF1E950E2A6EBB08E7CDFC3E24E6,SHA256=BD243AB12A76CC95387923CCFAB921DBD3EBAB02881C3E2692C989338BA48EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048886Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:15.783{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C3F88434D983736120E4C6595340B8,SHA256=A03D0BDF79F9107E89445423094B77A877A8FC7A6EFADFC0AE1459B9850A4954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026069Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:15.630{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE7DC3BE9F1FBC017FF9C3AA609AD08,SHA256=977191DB599C851CE23B433F1FE216311778B1A571ADD3BB8AA092797EB02A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026070Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:16.645{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D01437B312872A359049C1FE432FEEF,SHA256=CA4DB84FA41A5B519CB707F2B7020ADBFEC3922561EAC18399CA513E1C1BED7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048887Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:16.798{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C454007F85129FA46E26D52F655A6364,SHA256=F1E71504512441085E9BED56819A0E25A53BBE72403CD6ECF2A1F043EE463101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048889Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:17.829{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE937C44AD514BB17A7978CAEF73DD4,SHA256=16DFFB0EC75E3ED1491038AC4FB91D53B7443A4346C763802433948FAEC0A505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026071Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:17.661{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6C891E4EEF539C8F79128318BBC943,SHA256=4E9B8168C4F89DB825971C5D8B01C8E0670F43B3208E972155A6E7FBEFF76A34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048888Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:16.181{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50644-false10.0.1.12-8000- 354300x800000000000000026073Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:14.766{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026072Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:18.661{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A74BC0B3CE12B393C88ADBC6823CA5D,SHA256=641315FDBA0C384386CB583D455A5D25BA471CCAA5C1B63268E2BDFDC09892BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048890Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:18.829{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA0979313CD3D2DF72BD9615C43E2FF,SHA256=9011D009E80D7E57EAB15FAB6F8D3D96B0B816907F1D6990C58745501E0B3F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048891Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:19.829{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62497C8D919BF064F27705F08566A97F,SHA256=3A3F2F7A58B2A38803BC1AC998AFE1A8C58EF5BAC16535FE39AFFDE4FE300AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026074Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:19.677{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1112C65ABE5DFB10FC55D6C0741B9C,SHA256=286924CF6285A6339E3DECB98B0E7986AD9F0F635D51413AF1AA4D107B7D03BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026075Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:20.692{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD66F5D95A7F8CA6F2D5C59D18D32323,SHA256=B62AB93BBA6BCB0050C0B71A4F8A108B1BC25C9FFDC1E72CE1351FB99262B88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048899Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:20.829{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC799CF17F8C5A08B63C876B11A2B0EB,SHA256=94C54FC9CDF93A3624191EDC1D80999C5E34CD9917EBD4CA59602AE84AB6034E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048898Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:20.064{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048897Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:20.064{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048896Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:20.064{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048895Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:20.033{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048894Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:20.033{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048893Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:20.033{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048892Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:20.033{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048901Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:21.845{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6228116713E0D6FF68CC5A7785220BB6,SHA256=830806A61945643E69E7F19A3AAD37D96DDB0DB85E04544B1A997F3CDA744B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026076Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:21.708{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A1DBB8ED65AC9BAC64EDEDD11A96D1,SHA256=158F843706F1F562C946EA65D02FAAB91DFBCF8C2757A2D51BBC1F2B9CD3D494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048900Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:21.173{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C4BC1D5434F87EBC30FCCB7A257E81EA,SHA256=126E4F1BA4AE8BB33DFBAC0809928F29C4E1F1345E8D90116F7DE191EF053383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048902Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:22.923{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF9FE521674D7C3E3B02DAD2868AB3B,SHA256=DC8726982242DB5CE58E0B57F9FA0B19C814D7EA165FF90B8AD91F6C7A64715C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026091Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.724{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882D9F290359D026E6129AFACFCE2BBF,SHA256=54C7EB4874E1F3E85E91C603B5E04CDD2EB718C0D53DDAF973D1930644CF5DC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026090Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.490{4A7D70D7-637A-6140-7506-00000000F101}3180384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026089Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-637A-6140-7506-00000000F101}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026088Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026087Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026086Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026085Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026084Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026083Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026082Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026081Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026080Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026079Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-637A-6140-7506-00000000F101}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026078Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.130{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-637A-6140-7506-00000000F101}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026077Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:22.131{4A7D70D7-637A-6140-7506-00000000F101}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048904Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:23.940{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD33ECF5344A918D0EC21F3BBA64265,SHA256=348D32FDAA5C73B8FDC0BA619B903E4DA1D667BCB2A744B05225DB3D4755767C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026120Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.817{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6B93CDAD9D0739EBFA2CB33A46736A,SHA256=4489B1586FDC29E1F73B1AC3B6EC8BF14EEA3D82B2D2254BAF740C33DC2A144B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048903Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:22.213{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50645-false10.0.1.12-8000- 10341000x800000000000000026119Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-637B-6140-7706-00000000F101}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026118Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026117Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026116Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026115Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026114Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026113Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026112Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026111Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026110Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026109Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-637B-6140-7706-00000000F101}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026108Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.520{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-637B-6140-7706-00000000F101}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026107Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.521{4A7D70D7-637B-6140-7706-00000000F101}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026106Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.130{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6362DD7EE2351A3E61C677B9E4D7242,SHA256=1DA962D3BC5B9A62C17E006AC2867E385C3E8861BA83D3CC414A619D48CFA277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026105Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.130{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25193BBFE0EA5164722F1EC3E457295B,SHA256=F87E127D690EA52F49524FBE0364388C481A0C3B1A12F6218F271CEC59ED9F0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026104Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-637B-6140-7606-00000000F101}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026103Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026102Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026101Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026100Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026099Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026098Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026097Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026096Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026095Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026094Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-637B-6140-7606-00000000F101}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026093Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.020{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-637B-6140-7606-00000000F101}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026092Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:23.021{4A7D70D7-637B-6140-7606-00000000F101}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048906Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:24.947{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB5A85ECB1C3FECDF5FB2A58C1A75A5,SHA256=247B3FB95055E08C05B7D0AF34FF3B5AF39DB1A80A1682ECC091CFBF3D7DD444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026123Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:24.825{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88B3E64802B553D028D92EA5A9494EC,SHA256=60DD93F05AC7FAA591A119B9AEB95E95D3ABE925A7A62DB5FD9E1A46D263962F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048905Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:24.036{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-108MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026122Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:24.552{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6362DD7EE2351A3E61C677B9E4D7242,SHA256=1DA962D3BC5B9A62C17E006AC2867E385C3E8861BA83D3CC414A619D48CFA277,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026121Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:19.797{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048908Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:25.947{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F631F5C7D90D49603DDA5477999BFE,SHA256=CAD093AE51B97E8527A1D47B6D9531AAC4490AAD5054F459CC7FCB414C8BA118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026138Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.841{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB822047F8BAB4E526F8737C18C7402,SHA256=78D93DB45752ED378E980F604B84E24B7E815D768E2BA46809780FF81EBD5159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048907Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:25.041{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026137Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.716{4A7D70D7-637D-6140-7806-00000000F101}4082492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026136Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-637D-6140-7806-00000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026135Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026134Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026133Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026132Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026131Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026130Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026129Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026128Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-637D-6140-7806-00000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026127Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026126Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026125Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-637D-6140-7806-00000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026124Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.513{4A7D70D7-637D-6140-7806-00000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048909Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:26.947{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD82E3F2C36A4E7C23CA6561244E903,SHA256=8D62A2A156807D1635057D0C08318BFD66B71CACEB5F7016D91EA5FB955FCFF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026166Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-637E-6140-7A06-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026165Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026164Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026163Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026162Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026161Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026160Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026159Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026158Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026157Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026156Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-637E-6140-7A06-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026155Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.778{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-637E-6140-7A06-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026154Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.779{4A7D70D7-637E-6140-7A06-00000000F101}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026153Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.747{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A2904CF23C91487CEF2EFEC9F110178,SHA256=189A1C2EF17DDB9A756B9A3D7CACE1E46512FA0685609E435493D7C762D7C7E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026152Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.310{4A7D70D7-637E-6140-7906-00000000F101}2496912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026151Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-637E-6140-7906-00000000F101}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026150Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026149Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026148Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026147Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026146Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026145Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026144Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026143Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026142Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026141Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-637E-6140-7906-00000000F101}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026140Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.106{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-637E-6140-7906-00000000F101}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026139Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.108{4A7D70D7-637E-6140-7906-00000000F101}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048910Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:27.979{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D01628FC5EB2A614740482207A248E,SHA256=985118FAD26A7ABA964137B8E512C74720E4909D2DDC71F450A4C4EB34AAE35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026182Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.809{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD10DBE37218069B00CD02D4CCA35F1,SHA256=918AEB829E06D82428BA6A2C5B1F6C1408D8A307BA5457B9EAB66ABFD514F9F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026181Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-637F-6140-7B06-00000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026180Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026179Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026178Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026177Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026176Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026175Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026174Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026173Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026172Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026171Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-637F-6140-7B06-00000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026170Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.716{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-637F-6140-7B06-00000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026169Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.717{4A7D70D7-637F-6140-7B06-00000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026168Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:27.278{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2706DF2B13FED54044F53A92A345F370,SHA256=CA3581B02BCE4474340627BEC1E2A3FCAE585DEA8E3282AFF37F0B5C5ECDC8AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026167Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:26.997{4A7D70D7-637E-6140-7A06-00000000F101}1876656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026183Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:28.028{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF33B6B5B6629332121DCF9BE194EEA,SHA256=8B3B59F39848BE72406A94FC6DAFFDDFEF8FF547A64D9651C78A5677580212AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026185Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:25.711{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50953-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026184Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:29.044{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E2399728B6D2A839772CEE8B2E53A8,SHA256=2E721F05D420223F06CB012A9AFE1FD707AA53C4D7991B24E74599F94C68D177,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048912Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:27.299{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50646-false10.0.1.12-8000- 23542300x800000000000000048911Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:29.010{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAB5280B77A44E48D13738DE9DD20DA,SHA256=A111A92BAC9E53AE4A0573FCC86077945E4746C58A4F4A3EE20A7CE2EDEB3601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026186Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:30.075{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A0C6DB210F323CD2965AEC6A23E709,SHA256=A00E81DC8DD5EB71552F17C609231C8C221489FFE34C9D57919E6E51C1A37570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048913Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:30.041{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F57BFC8FD76E098566C76C343750FC0,SHA256=292673FD44A7C32677D14EED7FBECF9C5EDE7EEB7151411DE1D0CD2D844EC8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026187Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:31.106{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18ECC0A7368883685CDF244B2F1DCF67,SHA256=41B7118362F76499A4DF451E9F2697B637B7311BF48C0B585367B832C7BDC8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048914Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:31.072{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B3841BB7BD006C03C28D2F92A95AC4,SHA256=0ED74F8FD9D7DA6A745939A576A486613745E7BB0F6977E71D006972F54223D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026188Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:32.122{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F067381632B094DF63B2B6BE457CCE4B,SHA256=7AFE10C70AC01849EE76AA9B4EFD415DD852F55EAD450DE39924FF0A4BD364B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048915Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:32.088{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C70D5271DB3851556E5E5F4D28E5E10,SHA256=55748F0BB274B4530B5AD7F555F058718BFA957BF0BECEED03C5F7A5129AFE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026189Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:33.356{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF843FED94F3975E1207983EAF7871D,SHA256=0246DC7DC846C743E05E10510DBE6DF0C8BECE82F414780A6BDE3D3B920567D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048917Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:33.901{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=177B7A48238DC5C11100DAEE06A1A501,SHA256=53987B38E52432138040506DB0FB5C8A2518F62A8E251F4B75EC57F7F901C59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048916Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:33.119{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C54F229E8C589012C17A0584E99F6F7,SHA256=172B564C9100A85D61AAEC14456F7468229BA78A0FDBBE722B1B779A13611724,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026191Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:30.773{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50954-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026190Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:34.372{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8495688026B421070EA94378B8F922,SHA256=FBBCA5D11364E82C97FAEBBA6A2563386E7803D62010174F8F125D6753CD9488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048918Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:34.166{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7814DD30FC2911F10AE75455DAADA585,SHA256=AC2767FBAFDABC6623923CE798A82E3C5599F3E559EBD4E04FD1986A71E2C735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026193Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:35.466{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952DCAD4D9A09CA946B040E32496C69F,SHA256=2AC7F9058036D5CBEB581DD2E3440AE96BC3782FAFA4412D969FB3AF795D0534,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048920Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:33.252{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50647-false10.0.1.12-8000- 23542300x800000000000000048919Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:35.166{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB98F3B4DADE8F50A4A896CEE299DC8,SHA256=3849BCB46156177640AA2466521BE46669C61717D89C9658F9F1A787F1747B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026192Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:35.157{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-098MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026195Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:36.558{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D71B089918A852BEE201D0C2B8345A,SHA256=A0666D74BAE8FC3580AAA41ABF12E31C88E1C112A45F76083E9ADA0ADDDF9918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048921Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:36.197{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796B090A75229B476D64CFD3FDA4FC18,SHA256=A72420B472171AB216357BF3AF059061FC4A971EF460226D4FCEA386D8663787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026194Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:36.170{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026196Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:37.795{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520506AD590AF7ABB94A2DED53EFFDBD,SHA256=E4FA0A9E80F7A7DC734B48E95475A255F4E388FFB72E91A4953C82B4DCA0B441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048923Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:37.197{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BAF19AE915B6CAD723C565F55FE063,SHA256=FAF9EEA3143B848E3F5E9845823EBADA5327967472ABD05D27B476AC80B8EA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048922Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:37.088{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026197Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:38.888{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A693E5E6CC8663D6B605D6A2310A183,SHA256=7ED9C04D65206038A8B88CFB9327A606DF187EF33FCF63833C15002E2D9C1AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048924Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:38.229{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03451327A0084697EA9213688C939DA,SHA256=1B7947E1C40175FD8225AF9B54BC8B2CC082B4711A9B049ED9859B2702DFC255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026199Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:39.904{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0D45FD26528A92DFE2B5EECEEBABEC,SHA256=68FFB0BE774031FB109F9BE4D5E82E429CC2E03CE0B21441F31BDE0C636CA026,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048926Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:37.190{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50648-false10.0.1.12-8089- 23542300x800000000000000048925Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:39.229{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F86E67C4B208956B9368876CA4712F9,SHA256=6069EE10BB12F93891D24466FBEAEA2A28CDC7863B49DE5545E32EBE69D1A1B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026198Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:36.681{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50955-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026200Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:40.920{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773D2A8A279AE5B93C6875290DF07BA5,SHA256=40155C7988CA074A6C567A67A0AC25B31708EAE88C88BE8029447199B1024653,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048928Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:38.315{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50649-false10.0.1.12-8000- 23542300x800000000000000048927Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:40.244{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25D9A4AE50CB6BC755822F66CF2D40C,SHA256=9EC24852B63C28A08FA53ED8F7DE402A440A5486053680FAFC3F54AD3CC68F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026201Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:41.935{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D092A1F10EEB1CBE10A22546DECA10,SHA256=F9F3D2634D5CAD2CE48BAE68352A2ED3B26225FAA1BB4D564367F4AE24ADDC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048929Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:41.276{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9D0C7DEB6C3C9DE8864FB297B2FA01,SHA256=D89427E03F8CC4DD3BFF9024F5B7A2885EB96DA9394BD80482B91DDECA3FFA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026202Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:42.951{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282DD81ABED4C5A883287B8AA48393AF,SHA256=5594693AA1173A0499C5439406C1AFD9248CECD674AD126A4B6DB22D67915BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048941Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.854{C8F4C507-5C85-6140-AB07-00000000F001}44801168C:\Windows\System32\RuntimeBroker.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+6203c|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000048940Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.854{C8F4C507-5C85-6140-AB07-00000000F001}44801168C:\Windows\System32\RuntimeBroker.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63c83|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+6203c|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048939Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.791{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-638E-6140-1C09-00000000F001}2636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048938Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.760{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-638E-6140-1C09-00000000F001}2636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048937Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.760{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-638E-6140-1C09-00000000F001}2636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048936Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.619{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048935Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.619{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048934Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.619{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048933Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.619{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048932Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.619{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048931Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.619{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048930Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:42.276{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C7AD54EB1F3512B866A71A81E0F9D2,SHA256=89A4BD2BE24A535CC277C49E7DE751817A24D2E14D8FC5D0A37EBB457318D824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026203Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:43.966{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C88EF02BF660CC308DE031F5E79C214,SHA256=282F340514F75B54C3A5F0F624EBBC2E8B1F6A4ED6E3F4440CFFDB7622287646,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048945Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.744{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-4934-6140-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000048944Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.635{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CC5E0A24FA722366C68D43F58AAE1D7,SHA256=D615CA98280CDF6D90024F66F40A60722530DB668408293874D94E3B455A07A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048943Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.635{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26B0621BEE05E504EAF8B40B9AA954E4,SHA256=2FE44E351F8C92128321341D08244364495701AD236766038E1065EEEA72841D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048942Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.307{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638048B238BDE5E1EB4F0161FEA14951,SHA256=9D8B7A116CF9655E2C01BBA398FFACC69B653E4A62EA5ADDAB52595A9EA0ED68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026204Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:44.982{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC01619209611FB89C6FF8EE6EDF0AAB,SHA256=73AA055D46CFFC1BCE66656BD2621228F6FBEECFB05402629F8F3A14184CED69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048955Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.851{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50653-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local49666- 354300x800000000000000048954Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.850{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50653-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local49666- 354300x800000000000000048953Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.850{C8F4C507-4938-6140-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50652-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local135epmap 354300x800000000000000048952Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.849{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50652-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local135epmap 354300x800000000000000048951Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.747{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-158.attackrange.local50651-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000048950Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.747{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50651-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000048949Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.740{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50650-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000048948Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.740{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50650-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 23542300x800000000000000048947Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:44.759{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CC5E0A24FA722366C68D43F58AAE1D7,SHA256=D615CA98280CDF6D90024F66F40A60722530DB668408293874D94E3B455A07A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048946Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:44.322{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6265AF4A821AD4F25E5015F996910D03,SHA256=5610481150F30AB6566F68B40D8C3F2FC660C08CB6FD67F885A43C4E30C2C02A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048959Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:44.237{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50655-false10.0.1.12-8000- 354300x800000000000000048958Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.861{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50654-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 354300x800000000000000048957Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:43.861{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50654-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 23542300x800000000000000048956Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:45.353{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02899937D2F8770A571C7207157A1E49,SHA256=78C1EA821E65B1F0A466FC3FBC3BF2FF0B011900EE06BE527ED1DA2819DB9335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048960Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:46.353{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF85D66D997FE2BAA3D2AD7FA69653D3,SHA256=658AA6DBFB0832D856A9A6732EE18843E1B7AEF1A51DF843479D775B59FE2BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026205Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:45.997{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E5488E4E0E4B1E4FFCF3C66197AFFF,SHA256=D545F2DF9C7099B5174D79B1EB92BE8A467CB0CF9DFE7CF34C300EC102345E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048970Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.931{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-14_085533MD5=F8E403896A8D67D863238BEBE04F6F1D,SHA256=0C0C42655E9EBBFAC996AC17DF683A744A9E85FE549D1F72CE48EC61FC741848,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048969Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.650{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6393-6140-1D09-00000000F001}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048968Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.650{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048967Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.650{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048966Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.650{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048965Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.650{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048964Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.650{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6393-6140-1D09-00000000F001}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048963Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.650{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6393-6140-1D09-00000000F001}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048962Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.651{C8F4C507-6393-6140-1D09-00000000F001}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048961Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:47.431{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B55C8EC0B01DB0877EBAF251E93EFB,SHA256=669B39027D5AEBCE2372AE75D2E01FBDA4CDD99BBDE1E710F012DAF21B3DEBC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026207Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:42.680{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50956-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026206Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:47.013{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FBE3CE62A7E545EECFA5DB004E9008,SHA256=0F0BEC9D26B4EEBC2859FC6124C2102FA026181B04364B6C3503263E7B947D09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049033Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.994{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049032Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.994{C8F4C507-5C87-6140-B607-00000000F001}33726064C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049031Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.994{C8F4C507-5C87-6140-B607-00000000F001}33726064C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049030Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.994{C8F4C507-5C87-6140-B607-00000000F001}33725628C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049029Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.994{C8F4C507-5C87-6140-B607-00000000F001}33725628C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049028Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.978{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049027Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.978{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049026Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.978{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049025Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.978{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049024Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.978{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049023Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.978{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049022Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.978{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049021Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.978{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049020Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.822{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6394-6140-1F09-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049019Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.822{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049018Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.822{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049017Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.822{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049016Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.822{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049015Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.822{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6394-6140-1F09-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049014Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.822{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6394-6140-1F09-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049013Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.823{C8F4C507-6394-6140-1F09-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049012Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.666{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8A309026636E52188945D1F9EF7A44E,SHA256=1D6241AD9F7C81D32F53708E1B4E78ECC62BB692C75DF47058E9BCA13CCFAF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049011Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.431{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC23247B0AA0D2A40BBA7426C32F7F6,SHA256=13F1814EAB0B501D9DCCFF360D0C7248A5F78C5F52A42137DD7E3A9D6310A657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026208Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:48.028{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09E7776D3FD5FE6D57BB327066E7032,SHA256=6179655756015630B9CCC2B70149C4B60AADA2A361DBC29B28113DA3F52E9D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049010Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.369{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDBEC1ABAE1394B2DFDF5A8923D3EFD,SHA256=8444AD0BE887EC9C39E7AE5664DE3A988E48DC0F60C9690F4C28CDB10A3AC8F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049009Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.322{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6394-6140-1E09-00000000F001}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049008Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.322{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6394-6140-1E09-00000000F001}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049007Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.322{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049006Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.322{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049005Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.322{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049004Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.322{C8F4C507-4937-6140-0C00-00000000F001}8485088C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049003Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.322{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6394-6140-1E09-00000000F001}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049002Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.323{C8F4C507-6394-6140-1E09-00000000F001}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049001Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.291{C8F4C507-5C85-6140-AB07-00000000F001}44801168C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000049000Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.291{C8F4C507-5C85-6140-AB07-00000000F001}44801168C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048999Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.291{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048998Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.291{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048997Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.291{C8F4C507-5C87-6140-B607-00000000F001}33726388C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048996Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.291{C8F4C507-5C87-6140-B607-00000000F001}33726388C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048995Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.275{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048994Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.275{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048993Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.259{C8F4C507-5C87-6140-B607-00000000F001}33727120C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048992Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.259{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048991Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.259{C8F4C507-5C85-6140-AB07-00000000F001}44804908C:\Windows\System32\RuntimeBroker.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000048990Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.259{C8F4C507-5C87-6140-B607-00000000F001}33725076C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048989Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.259{C8F4C507-5C87-6140-B607-00000000F001}33725076C:\Windows\Explorer.EXE{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048988Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.259{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048987Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.259{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048986Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4938-6140-0D00-00000000F001}9044700C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048985Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4938-6140-0D00-00000000F001}9044700C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048984Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4938-6140-0D00-00000000F001}9044700C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048983Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4938-6140-0D00-00000000F001}9044700C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048982Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4938-6140-0D00-00000000F001}9044700C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048981Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4938-6140-0D00-00000000F001}9044700C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048980Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048979Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048978Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048977Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048976Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048975Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048974Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048973Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048972Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.244{C8F4C507-5C87-6140-B607-00000000F001}33726512C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048971Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.228{C8F4C507-5C87-6140-B607-00000000F001}33726512C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049040Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:49.869{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1BB9CE50EE5460E0E680BE5672B5D7,SHA256=87BBE1BB398EC43AE0983A6A68F20056E60C5A0D5A412160B8010E43A881E0EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049039Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:49.822{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF55A2503BD54C366226E42A27A2C91,SHA256=F180D003BC527446A8DD41E729FDBB02BD83B2F1C92B9B5A334AC6B004519C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026209Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:49.044{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B454656C7F165090277A50B49F05289,SHA256=E5C1B91C19D798952B94C60EC62E9EEAB00066C136F9241659A8041E451D2A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049038Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:49.369{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-14_085533MD5=CF4C0CD7F90975A69D98A5F7794E0CE9,SHA256=65FDF4C256217C05A3F6AB5FD5B191CCD255928585ADF94F96BB08BDEE378029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049037Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:49.353{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=08C9559B90729DD7700C4DA14063E58A,SHA256=CB0DF9201D16263AFA8A5BC0B2C33B7AA7CF4BDBE16183F8F9F5A70F7289FED8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049036Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.994{C8F4C507-6394-6140-1F09-00000000F001}38726776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049035Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.994{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000049034Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:48.994{C8F4C507-5C87-6140-B607-00000000F001}33724092C:\Windows\Explorer.EXE{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x800000000000000049041Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:50.884{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0F8036E87678B56025E2D82BD1877B,SHA256=E20ACBBA6560586F7E5D5C5D2177FA5D81B2DB31DFE169B6984A14D3062AC5EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026210Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:50.060{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5248B168B37CEA8F0D3E69A88DB31887,SHA256=6CB1D3DA8E4B6B9F3E3A6E358B42580F219EECD2788F8D969A670167A078370E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049053Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.885{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDCC93E92EB630FFBA6BD4D13427619,SHA256=1081089844D6B489187D4BED0ECA1F47F619F8C8FA4E8953083A92603F3720D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049052Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:50.205{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50656-false10.0.1.12-8000- 10341000x800000000000000049051Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.556{C8F4C507-6397-6140-2009-00000000F001}54204752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049050Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.353{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6397-6140-2009-00000000F001}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049049Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.353{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049048Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.353{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049047Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.353{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049046Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.353{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049045Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.353{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6397-6140-2009-00000000F001}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049044Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.353{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6397-6140-2009-00000000F001}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049043Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.354{C8F4C507-6397-6140-2009-00000000F001}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049042Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:51.150{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D70947340E70372686C45C0DA23EC0E,SHA256=7CCE7B0757AA84AB8B094FFC5EDD213833BB970F34452C70DCE1D9693DD366DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026212Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:48.680{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50957-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026211Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:51.060{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CB13491BEFAB0ADF6899DF731A39F5,SHA256=F62B8BFE954797FB757B2190FC72C9AE99F26BDBB8F2F461D4F7718014812E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049066Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.916{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6EF0737846DBD2FC67D8AB8D07E070,SHA256=BE294F62991BB050090FB626E0A7949E26FC0F85EAF816F2336756215A1E75F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026213Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:52.060{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC53153BD88B2E9384EE772139F091A3,SHA256=E0ABEAB5EB6537D7868CFCCB7ED5B46ACC9B0F526CA0720EF11981D4F686309E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049065Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.733{C8F4C507-6398-6140-2109-00000000F001}64806432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049064Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:50.705{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50657-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000049063Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:50.705{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50657-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 10341000x800000000000000049062Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.525{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6398-6140-2109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049061Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.525{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049060Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.525{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049059Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.525{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049058Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.525{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049057Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.525{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6398-6140-2109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049056Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.525{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6398-6140-2109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049055Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.526{C8F4C507-6398-6140-2109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049054Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:52.494{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C9D4B6C5A1211F4D841DB5F695797B4,SHA256=C1DB40427EC168DBA0527129AE6F9878CC07712BAD7FEA347AD572BCBC620B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049089Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.947{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5219F09FDC6AB6C0A6A9039D13C029,SHA256=86B0DCC4E5A169B5D0C9B2A23A70982C4BAA021949D94F650EF288E69932738D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026214Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:53.075{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07DAD8EB49A7DB64454F6610AEBF299,SHA256=7E9186AFE8357436B725701B609D307B95058938A73EE6936ED4B8EEB367F370,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049088Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.806{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049087Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.806{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049086Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.806{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049085Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.806{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049084Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.760{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6399-6140-2309-00000000F001}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049083Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.760{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049082Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.760{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049081Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.760{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049080Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.760{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049079Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.760{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6399-6140-2309-00000000F001}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049078Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.760{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6399-6140-2309-00000000F001}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049077Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.760{C8F4C507-6399-6140-2309-00000000F001}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049076Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.525{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C70EB7EB19EF7B4D50B5B5521B3F45F9,SHA256=44D334BCF17F1D7765031508AD7F8CC2661B21FD2CBEBC5CC0E31A0284847691,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049075Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.306{C8F4C507-6399-6140-2209-00000000F001}67085848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049074Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.134{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6399-6140-2209-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049073Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.134{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049072Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.134{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049071Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.134{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049070Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.134{C8F4C507-4937-6140-0C00-00000000F001}8482388C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049069Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.134{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6399-6140-2209-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049068Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.134{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6399-6140-2209-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049067Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:53.136{C8F4C507-6399-6140-2209-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026215Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:54.091{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DE664F3A6AC3AEFCE8DFEA3381C28B,SHA256=58B5CD868E7F5B1360A26E8575E8B8BB32A5460DBFB68E179211E2390442F639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049099Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.791{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C7D2527D00B8B16EB7AD5B3C7D14007,SHA256=E13DBAF561192890DC5025F58D3D211A3135B4D50CBCD9AB859CEAC1F94E5CCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049098Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.338{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049097Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.338{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049096Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.338{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049095Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.338{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049094Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.338{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049093Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.338{C8F4C507-5C86-6140-AC07-00000000F001}40442616C:\Windows\system32\sihost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049092Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.275{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049091Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.275{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049090Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:54.275{C8F4C507-4937-6140-0C00-00000000F001}8485012C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000026216Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:55.091{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A408A35A5338223BC130BE83D1165928,SHA256=29FBC43982D12EAC9C12648EEFE406A4B641A5000BB4B7A86998A8B7C1637A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049100Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:55.025{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715B346603BEC1E6EF6F6DB05CC78F8B,SHA256=7C0DBBE1D4D185278B95193F80866F275CDF621979747D9D827319B3727C4AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026217Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:56.310{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4A743687CBA80D92856DAF84FFD62A,SHA256=F7F2585396E04D847ADF3C60F65D4A8B024013DDE75551403A71A95E649ED4E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049102Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:55.221{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50658-false10.0.1.12-8000- 23542300x800000000000000049101Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:56.088{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610EF117FADF8B5C39D746A263710583,SHA256=EC0224023E9708C0FB6B79CAD9B376BD9063E3A358D6E6847602316B9A6E0812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049103Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:57.088{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC208F3F496C5B0F40D0F9C32DEE75E,SHA256=3A59BE9EE586691EECC2ED1683BD578521FC750224ABE0688A48B6C2BFE87E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026218Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:57.466{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09057EBEDC0592B72041BE6B60D70FD7,SHA256=8A171088F05976C7B124D33362C2618A254CF6E8079C34D49910A6FF4F54BFFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026220Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:54.633{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026219Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:58.481{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137522989970D5257758DA8CC5758836,SHA256=8788B6D4359B30D130AF34FE275F93405B6365E6FC28E140396731C05A245961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049104Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:58.088{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A1F349D454E72B0E7187D408E0245C,SHA256=4BEC8D13E128D3080701F9E3EA99A391021D6961BAF3152D4CBE9B8236F026CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026221Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:59.513{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A73DF44139350DE345FA7AAA5E045C,SHA256=8F5057E576C32401FDC70B723F37F080DAFDE99786C171A1B31F37C20500421A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049105Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:55:59.103{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F4F7ABCC8005538F14733ADCBE8E22,SHA256=0A565560C869AE5AF1FFC91205E17884D32692252DE6D1287EB48A4BDE916F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026222Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:00.622{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5863E326ABE63B4446396169D4AA9C1,SHA256=AB278A73E11B00F53AEA894A3A33A39CFEA058CE30DB24EA56E685E004B88F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049106Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:00.119{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACB76283E9459118B60ABF895BF9FC8,SHA256=F9CD9DCC0658AC8BCDB005824F4B8C6E12CC48B6F9717C1C73C1AB8A2CACEC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026223Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:01.684{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3848931F12A8E458AC4FC9CE389046,SHA256=038F145B49B31B24CF367146261C8B4C97D0FD8BAC3027C557A8FCA7B23D5F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049107Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:01.119{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15672A23E6B77E51DFAA4310E28E507,SHA256=6FF01F444EC595095DDB912F7532CAF6FF709D8761D79E4195267DFBFF83ED86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026226Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:55:59.805{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50959-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026225Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:02.684{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA3C3F6983442B377679DA1082E67B4,SHA256=9182B7ADD106C6C419C6A3FBAA931A654E182A208FBD290712F2607B6D23EB1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049109Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:00.377{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50659-false10.0.1.12-8000- 23542300x800000000000000049108Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:02.135{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF94C9686924FCF442259EB0D7C18B6,SHA256=89CF71F1777095EC1D442F4F1EDF1904C257FA35448F45DA3B24F42F8AF41159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026224Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:02.622{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DC5D4C6149AD5E012E5DBCA983640CDD,SHA256=E4C278DDE3BB923097B0A58C9AF6317EBE0E575CE472E6C38F4D6E60F82184EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026227Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:03.716{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5362A72DD21B22265B1EC5E4968BCC,SHA256=9C0EF6F460167086679C83C8B25C4F24D0883F1E123D64F4CB167D45703A2F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049110Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:03.166{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995F67A17344554AD94D021E593B68CF,SHA256=58514598FAB8316E2C4B7FCFB6276BF00FCAA030CE3EEC66445664BB13168692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026228Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:04.747{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4730356D27BF3BC51E2EE657010AF86,SHA256=5B6492979377C3D50E362B378CCB8E2CEC5C045A2BA0B555D0DF2E407D579498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049111Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:04.197{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6CD8225769C363D2D892B92B5AEF0D,SHA256=B70FE7CAED4181F69820BF2389A27B35CDB94B3DC47EE97A1C44C6A11224E542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026232Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:05.768{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D8A8FB75123A211EFE5546F80FD279,SHA256=3D7A5F7A902A61072DA216101EFBA88A0EAACA3544101833F355287C5BE3CC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049112Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:05.218{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CDF30B6120AEEEC51DF65AD7365605,SHA256=D68B70F1E3A4B30B779088038D5D853B2C04123066E16C91B2C120AB6635B685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026231Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:05.033{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026230Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:05.033{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026229Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:05.033{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026233Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:06.783{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99F2DA41EC724E857FFBC273E465AF4,SHA256=300179AB07BFFCBD8E37F0270CDA2B300E96DD5B7BD3F5FD02C8A406FC986962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049113Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:06.233{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDBED1EEB0B603C597D238694E7A342,SHA256=9B644FDF7671013EABBC4B4C661BFBA1E3F4C38F02FD297B006475422E488226,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049115Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:06.257{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50660-false10.0.1.12-8000- 23542300x800000000000000049114Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:07.249{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B64CBDB867EA7F8322E4BDD7AC3701,SHA256=E6EF3BDD801C2896401E11682C0B76F441D7769228D8AD47B9E1518A08A813AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049116Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:08.280{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B37455ED57E9607D3ED13B9281CB8E,SHA256=66261C8DB70BA48DC24D7D1AAA5BE38F692ADD009BDAD4245964D1377DF01D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026234Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:08.018{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00E4CDB6E02D71E8715ACA13AFF91B2,SHA256=353369CFD85E6F3724545ECFF5CBBD846C4C52621C081C72F882D51C7A4BE0AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049117Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:09.296{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A1D359F65F494958CCE19E7A00D712,SHA256=B9E67968B3A0B1382726E38411F92B7BEB6275C69AD8A578D7573CCB2B17136A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026236Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:05.685{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50960-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026235Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:09.049{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6121AFAA021A35AA86A962C31BE386,SHA256=4FFC164E2295631210778315655748D9281567B15602778A9818C4B40E2F6511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026237Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:10.252{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD857553B0DCD29F03AD373A08FF8247,SHA256=37A1CFF47CCC2004BAC576E1182F7CA3129F2630B616DB53B1F9168A4A297D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049118Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:10.311{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A5862BF2CFB1632A7DD4626CC180E3,SHA256=443F400D532E376504A0504A4E04B6C0D081146DF1F854B684B11AF663DE276B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049119Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:11.343{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2703131F43BE40A367B950731F90018A,SHA256=A935F18AE2ED4430782BFF508B3ECA181E3DB3829B8CF32A73469F6EA3FAAE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026239Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:11.689{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026238Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:11.268{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD09D9CB09A6EF3FB7399FC32D7FD7DF,SHA256=12705A4A8F422847615CAE2AE8C1E07B3E3C4C6EF82F2BC6C548CC4AFDFDEF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049120Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:12.358{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDB6CB87AEAF73767B9771D1E4B57E6,SHA256=9BC53BBF0B2A953529134F18CE553C8FE2374A27C2D59C5130BB080D7A9ABDFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026241Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:10.232{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50961-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000026240Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:12.268{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64278EE69BB8AC52625B1584B68FBC68,SHA256=22985C3683E84AF6913E3A448C62674A18404990D14AF67A245D3B8747ADA3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049121Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:13.390{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD70F76B1859E044573F65D65AACFE79,SHA256=8BA27174C01C1340C2F660B200086EF80632AE02D903F6EC50DB88AEE240B7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026242Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:13.283{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B7754CE3B296CB1C66A54A84B483C6,SHA256=EFAB74736E929DF373788DA9964611E971F662508AD92447A19F9D64E656BE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049123Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:14.390{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1B57FD1A81F0411E4D28A4BD8B63EE,SHA256=74A4E21A6355C7423533476A259BE45DCA92B2121A513F3E8DF41DE3FC0C9777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026244Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:14.283{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECE1DC232D0288807584CFAC8214094,SHA256=B55E96EA052688561515FA9884E55A25D16259112AA10D940A7DA36783259C36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049122Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:12.226{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50661-false10.0.1.12-8000- 354300x800000000000000026243Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:10.794{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50962-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049124Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:15.405{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0DB7E4DB20D3170DE6BCEEB513B80A,SHA256=F6E476CC03BA657541E4429DD28783431DC45DD0207707DBFA5AF450E1A2CFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026245Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:15.299{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A4288981C1DC1A8792E30B0D3A6225,SHA256=072EFDC21CD39D520507E8B98FC1BCF325E82ED09072ED7F58BCA95B6C0AFF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049125Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:16.421{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151BBEF121CBDB5EA600CB11A346C65F,SHA256=C6A790F9F43A6228971E67C5C3A583E828E07D14C625CC837C0C2B45A5335AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026246Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:16.314{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CAB7C61EC7D410BE9D62C3A897CF14,SHA256=C1FF4A120E28170603F46C65B62E975EA259EC6D963CF6DBCA3768E6FD3B6E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049126Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:17.421{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731A68921F8A37366C45810EC94AA69D,SHA256=489811789730D6A66FDD6E6A990C10F31D1138933B2D8391D641BA8A72E88618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026247Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:17.330{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272ABF103800A019820C6D59D1AA12C1,SHA256=74E1776904D6D303809ABDB55E9B3A73AA6392D88E6C232FF3900631802CC0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049127Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:18.468{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF6D6BECECBA8E8B5EAEBD757B3A5B0,SHA256=669CD9E9C597E70F43BDBB8297BEAFF3665FDAA532534903A7B71D246104C6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026248Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:18.346{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCEF081D6286E2385034F293B5CEBC9,SHA256=DF1F8D4AEBDCD8668EFDD34304362C251E3408945F9DC4C3B06243EDE87C6B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049128Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:19.468{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AFAAF0552D60ECEBB5E2A80FD0BF41,SHA256=5324E5E92B76394D3A985BA9D11D1D0FB8C4A98D72338AE9990D82F8F6B06247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026249Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:19.361{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F062193836FCE6F0322DBF7806952D,SHA256=C5D9D4F7DB6DAFE05A40A552FECAAAFD084BEFC1456E46F7FEA4DEDBD5CD04CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049130Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:20.483{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5656DBB8AB0314D7156E00A7366699F9,SHA256=3C6F12AC10B04456AF5E55AD374F397D00BC91F2980C65E40BB4B55750E09C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026251Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:20.377{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5096C8726CF9F8157CA634C5501C55FC,SHA256=429B6FFD77ECBA35E08BA2931DA0B6470F6B4202E045F2C7B86E3D7395778367,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049129Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:18.210{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50662-false10.0.1.12-8000- 354300x800000000000000026250Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:16.622{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50963-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049132Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:21.499{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B1FA143B92033DCD6769F3140388E9,SHA256=E4FC246C7AC2510A873FCAF2A37E915D21883F0B5D953DDBF7447642964E6BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026252Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:21.393{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889C80FA716F12084DC7B33313821D4,SHA256=01CEC20110ACCF55B09268BFF7DAEB7089ED3873E4D164FE30FCDAD32E088A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049131Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:21.187{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6377D9055B1C308858A1B891D06176A,SHA256=0D5FBA75743F05955E244E8D38ABBC3881617E3F147E7D060D4E5B7E16227D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049133Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:22.530{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04664540FFA0769628DCB2B92368C25,SHA256=8536CE7416DD59D14CC95B0D6F03A117A151FB7F66351FD92A7452895647B580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026280Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63B6-6140-7D06-00000000F101}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026279Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026278Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026277Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026276Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026275Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026274Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026273Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026272Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026271Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026270Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-63B6-6140-7D06-00000000F101}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026269Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.689{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63B6-6140-7D06-00000000F101}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026268Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.691{4A7D70D7-63B6-6140-7D06-00000000F101}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026267Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.408{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08C6343DAABC5EF5333999BD46642B3,SHA256=966EB8807E24456781A228398C934FC6448F6C0BE9DB2B6DBF9ACCDEC24BFDAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026266Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.283{4A7D70D7-63B6-6140-7C06-00000000F101}3088972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026265Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63B6-6140-7C06-00000000F101}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026264Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026263Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026262Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026261Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026260Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026259Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026258Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026257Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026256Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026255Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-63B6-6140-7C06-00000000F101}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026254Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.127{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63B6-6140-7C06-00000000F101}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026253Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:22.128{4A7D70D7-63B6-6140-7C06-00000000F101}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026296Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.455{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63B90981F3E9552B2DC444C957B348A,SHA256=4C549B3413C790984098C7EAEDCF57B9004AEB0AB5C4AC3AE088FE881842ED1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049134Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:23.530{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9E5F7AD1E8F4AE00A3A8E7070A79D3,SHA256=D7247E4B46B278EC10829336596BD62EFE99FDE97D0C76687EF8802FEBF1D5BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026295Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63B7-6140-7E06-00000000F101}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026294Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026293Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026292Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026291Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026290Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026289Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026288Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026287Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026286Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026285Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-63B7-6140-7E06-00000000F101}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026284Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.314{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63B7-6140-7E06-00000000F101}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026283Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.315{4A7D70D7-63B7-6140-7E06-00000000F101}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026282Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.189{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EBB4B335554A50C2F82B493A3F950D5,SHA256=68F6C53DCDEAD0954D82DE95C5E2102AF663FB074827909EF4457F8A40AC5338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026281Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:23.189{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09F6DA98B8494824B080116F57C279FE,SHA256=8DAC83315A5F687DA39E93863F6C41275A9936F1342F81241C0A649C64DF0534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026298Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:24.689{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195A0B21A360306DDB834FC9B42F1C67,SHA256=C032824EA5D99486A4BEFD34B2612AFCCEE738D3A3D736360C0E5A90D5FD54B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049135Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:24.562{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8C0DFC25829484103A184CF34E639B,SHA256=888DF0B07068B7968034B1FD38D45216DFD0860E8FDF5058855B6D0034303784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026297Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:24.330{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EBB4B335554A50C2F82B493A3F950D5,SHA256=68F6C53DCDEAD0954D82DE95C5E2102AF663FB074827909EF4457F8A40AC5338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026314Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.736{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969D0ABAC6FA1E3BE06889550C836C2B,SHA256=2CEDD2F068031AC6EF154120EECAD54EFE2D6CEE4E0884686DC42C76642BBAA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049138Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:25.566{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-109MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049137Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:25.565{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EEFA3CE1DB12F09B7D3C2A5BCE9CD2,SHA256=1BA0619CA0DB6B86A6AC01B18C9C277CB7B47654CCF0F62D2FA901854AA1F95B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026313Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.705{4A7D70D7-63B9-6140-7F06-00000000F101}964916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026312Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63B9-6140-7F06-00000000F101}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026311Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026310Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026309Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026308Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026307Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026306Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026305Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026304Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026303Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026302Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-63B9-6140-7F06-00000000F101}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026301Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63B9-6140-7F06-00000000F101}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026300Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:25.533{4A7D70D7-63B9-6140-7F06-00000000F101}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026299Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:21.731{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50964-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049136Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:23.304{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50663-false10.0.1.12-8000- 10341000x800000000000000026343Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026342Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63BA-6140-8106-00000000F101}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026341Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026340Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026339Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026338Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026337Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026336Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026335Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026334Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026333Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-63BA-6140-8106-00000000F101}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026332Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.876{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63BA-6140-8106-00000000F101}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026331Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.877{4A7D70D7-63BA-6140-8106-00000000F101}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026330Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.751{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4AEC5927D7B230D9C7B481855449E7,SHA256=E281473926EAD3A0A1E73B6A41B80CCEA1D7C943F8A46A2E71D0B2ED45F3FAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049140Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:26.580{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0900703EC9CCA608FFC4127E42ADA034,SHA256=FCF2A1203A65BD0FBA92F5A7292BBBEA1FB773BCEABDAC3C65CB49AB81FC5A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026329Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.564{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CCD27B77449932C4C8057BFD1D95D93,SHA256=FE380E417E39798EEE359DB58A89F16EA6EDFBECDFA31666B3E3ADE88781A56B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026328Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.361{4A7D70D7-63BA-6140-8006-00000000F101}32203200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026327Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63BA-6140-8006-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026326Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026325Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026324Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026323Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026322Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026321Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026320Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026319Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026318Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026317Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-63BA-6140-8006-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026316Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63BA-6140-8006-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026315Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:26.205{4A7D70D7-63BA-6140-8006-00000000F101}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049139Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:26.577{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049141Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:27.640{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEADEE8946C847F39797992C7583ECA,SHA256=7E83FF45B5C95DF545103E67B2DFA9282E73D11A861FE32E4226A3C243B98579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026357Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63BB-6140-8206-00000000F101}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026356Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026355Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026354Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026353Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026352Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-63BB-6140-8206-00000000F101}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026351Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026350Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026349Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026348Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026347Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026346Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.736{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63BB-6140-8206-00000000F101}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026345Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.737{4A7D70D7-63BB-6140-8206-00000000F101}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026344Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.064{4A7D70D7-63BA-6140-8106-00000000F101}32042864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049142Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:28.656{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752DEB5C8C0AC6C36950A236829F659C,SHA256=E35947CEFE054300B9B2912DA368A7A1B599A36718822EB99AD9002F1B4E844F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026359Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:28.142{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F3EA50838CF585A8F6D634332BD6C5,SHA256=E28DB2E68C860E0C31CEF7CFE34EE9CB0BEBD4B4951E404DF1A331FE4A518B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026358Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:28.142{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409560400A88CF055CAEA08EE2A0DDAA,SHA256=B415367EEB04DE4834D8677E26322FCE7BFB53E52C3223EFD7B169BAE3D3F778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049143Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:29.687{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AEC7E44DD8BDC83E3A8E5D39E5A625,SHA256=E140A20F7D160119B2AFAAE6D30B0582991648E5D38CE418DF5AF547BB695D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026360Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:29.158{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F626AAAAF37A68BCF98F3CF2A8A7DB,SHA256=6D4B3B8208C6C0EFE6661A12309A9ECEA9820DD751212E23C3185DBBAE011487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049145Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:30.703{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB4BED0349F12F2E249ABF7946B8E08,SHA256=1F3606AFD9946AF497ACF94E950F24E367EAE431FC595163B1125F7762D34015,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026362Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:27.778{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50965-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026361Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:30.173{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4801754F4A0CEA52582385B458828074,SHA256=12FE1EF2764D323862BCCA27AD35A02F1DCCB924AA9478DEB6E87626F19D148D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049144Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:29.211{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50664-false10.0.1.12-8000- 23542300x800000000000000049146Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:31.734{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF2D789CDDDFDBFF623A8733028290F,SHA256=DF9DFF2B9CA3CB150AD16B7B9D37C203A8683F925724B437DC1B5604195D84EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026363Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:31.330{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F513012BCCFF7B324BB2AF31753130,SHA256=9AE85312C56C4E255C9A6B19D1D0FAB064C19754A320659708C00E29EBBE7F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049147Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:32.734{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444BA07FA42BD139E9945B31B84D0DAB,SHA256=7A3366CC763A3E4537556298AC4DE9737E3500535DBD42812A00E39A1041EDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026364Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:32.376{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8434A24B1527D4F8504CF90B28197DA9,SHA256=1A32CE65257FB4A2C8986BE62C956346CA476731FDDEA7D8A40BF2632BF0A78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049148Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:33.750{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8888F30411E63B0025261D9E9D1A964,SHA256=AE3A8DAF3322F12C068819295ED83CB1EBED8DF2129140B95F39D041D47A52FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026365Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:33.423{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C500822CFBB22F47D6070DEC99691812,SHA256=23C1BF64179A3A49E506958FD8607063A8E67B3DEB5B68AEAEF8BB74ECD1FDEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049149Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:34.765{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A26DFFA65C54E2A7F5C8D64E38A69C,SHA256=223F970796BFB5CB41FCD2C7457C4C9EDF3A5EF4289E17639657974D16C6170A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026366Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:34.439{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAE8544900C5DE9EB0E332825A20822,SHA256=0BD118A611CD1B9692993A42F9EA7D5383D9278A281FA3B1D44689AD26EAAA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049175Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.797{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B759792ACB6AD1C1B51B5ABC16172BEB,SHA256=E18C6A167F738A6A5F3C98DB3C69B0D39FB8A6AB1E492784551453F6874D21A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026367Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:35.470{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB53EFD3B317F33D776ECDD477F06E6E,SHA256=C54292683021666DEB8F4A66B70F040107093B86C59E10BBF5DB5598C5839317,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049174Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:34.242{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50665-false10.0.1.12-8000- 10341000x800000000000000049173Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.234{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049172Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.218{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049171Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.218{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049170Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.218{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049169Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.218{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049168Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.203{C8F4C507-5C87-6140-B607-00000000F001}33726156C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049167Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.203{C8F4C507-5C87-6140-B607-00000000F001}33726156C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049166Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.203{C8F4C507-5C87-6140-B607-00000000F001}33726156C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049165Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.203{C8F4C507-5C87-6140-B607-00000000F001}33726156C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049164Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.203{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049163Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.203{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049162Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.203{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049161Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.203{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049160Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.187{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049159Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.187{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049158Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.187{C8F4C507-63C3-6140-2509-00000000F001}33285276C:\Windows\system32\conhost.exe{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049157Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.156{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049156Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.140{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049155Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.140{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049154Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.140{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049153Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.140{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049152Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.140{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049151Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.140{C8F4C507-5C87-6140-B607-00000000F001}33724744C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+1f9bca|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+175660|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+17c4a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000049150Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:35.146{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000049178Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:36.797{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DED5A6D7D21457A87E5A73F8B5ED954,SHA256=983F53A8648E10D26266DBAD862B776124FD56B45E74E04309E459E19A19F5A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026370Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:33.715{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026369Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:36.692{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-099MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026368Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:36.471{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935EECDDBBDDD2D468B158A3B58932C8,SHA256=A3B4213BF821F283059CB54F7F77298810AA452B7D3275CC2ABFF207A10FCF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049177Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:36.203{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=289929E96658D62610C943D8BAF4DEE0,SHA256=FC4AFC7D47BB211530171C9E37003E3970A2C7569926B9F10C2DD62C50236514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049176Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:36.203{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB4EEDB399725A1247E3EA6EE77AC5BE,SHA256=961372E4DC4EE0D400E54FB7A03A48892AE03615AAC8E68DE7CC9E12303CD729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049180Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:37.843{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9078F160B19C454C31F56861B10276,SHA256=8CB873F86F5D393801BFB58D61CEDD6ACAC6E2143E828D4264084B9A20B43455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026372Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:37.695{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026371Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:37.522{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296E8C7847BB113A5EAE86A3D926061A,SHA256=0B45CC2F3DBFBF713094E43F23AA8FE2C7C31AD497BE32D52A729CD669AB8353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049179Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:37.109{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049182Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:38.859{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493B81565511C3AC88DF40A2D567B6F8,SHA256=2100F92C94337A30756C27D93F76ED5B57C0515FF5DFDE4F1D22F69D6A2DB9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026373Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:38.584{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182AFA5576352E45320B2473E09774CF,SHA256=1FC08396C3E024B77D5BD9254161FDEE6B0838DE3A9584EA6F2880A656AF2F17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049181Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:37.211{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50666-false10.0.1.12-8089- 23542300x800000000000000049183Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:39.875{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F8077B65DE1558F1AD4C223D13FA75,SHA256=805310A4292D7B45556BB034192ABA798F33C83AF22F217039F58D56EE3603DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026374Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:39.616{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B23DFE7ABC6A71DB99BEC0F1E783B56,SHA256=B37004E013CD11A6A05E9A39E4D9E29CCDCC735BFF532439CA483C0449F7F543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049184Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:40.890{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F1B15728A693D61BD037521E88D74C,SHA256=C6B70ADB9CB5B55D5AB9C7DE79B21987C6B259AA3FAF643E375B6366F4B776E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026375Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:40.631{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694296F4742A4963CF60BB246615A66B,SHA256=735EBF469922C0E7A13F73B98FE183A2E678491EB9C60C51D8F735935E4EC937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049186Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:41.890{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539F4EEEB8B03B2376092CB2327C94AE,SHA256=DF3969A8B7B2890C5A416EC35E8E1BD78E7DCF213019E817345904A2B66F3DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026376Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:41.647{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F822426B9238AF541B97BEBAD98FC,SHA256=E7666ADB763E0CE7E7CDBA6F64B08456DEFE2EC80FAC579EB811C78E0E05EC46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049185Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:40.211{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50667-false10.0.1.12-8000- 23542300x800000000000000049187Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:42.906{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992D4FFC309BD59FECBC5586E799759A,SHA256=89C8371C66A194F73BD777B414F40DBCABABC429183EB406A17DB4A8F1247AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026377Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:42.662{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF95A153AFE9F129C2D2DDA9B314E8F,SHA256=DE39CA5939ECF55D4CB95D192299FD2CC1C080389DE6CDD9BEE1909132C58ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049205Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.937{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F76B61B21070D859029F16C76A27FA,SHA256=CBC87F6471EA863695293B42108473F02C67787E847778C3315948EEB9D1BB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026379Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:43.678{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7434517C860B27E38F5A338AC88AA1,SHA256=E6BBCAF9FABB8B7A616E80EA3C83479A190E2F2C0AF546A842A07285EAB8F741,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049204Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.781{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049203Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.781{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049202Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.781{C8F4C507-5C87-6140-B607-00000000F001}33725508C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049201Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.781{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049200Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.781{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049199Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.781{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049198Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.781{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049197Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.359{C8F4C507-5C87-6140-B607-00000000F001}33724744C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000049196Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.359{C8F4C507-5C87-6140-B607-00000000F001}33724744C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000049195Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.062{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-63CB-6140-2609-00000000F001}2052C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049194Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.062{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-63CB-6140-2609-00000000F001}2052C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049193Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.062{C8F4C507-5C87-6140-B607-00000000F001}33724744C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000049192Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.062{C8F4C507-5C87-6140-B607-00000000F001}33724744C:\Windows\Explorer.EXE{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000049191Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.046{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-63CB-6140-2609-00000000F001}2052C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049190Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.046{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-63CB-6140-2609-00000000F001}2052C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049189Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.046{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-63CB-6140-2609-00000000F001}2052C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049188Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:43.046{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-63CB-6140-2609-00000000F001}2052C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000026378Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:39.720{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049209Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:44.989{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467B0BC185CF210D50D4E044BD27CB26,SHA256=A7F39B08A53A0B7C0C1095F5F206BDB2A0201DE72D6C04ABD0C5B1DD513BF4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026380Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:44.694{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738BBF206B3CF59D1C7CFACA4C8D25DD,SHA256=0D2D51049A8A5A0CA7F0640D6081436E532D27046FDE9D7720581ECF359953E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049208Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:44.796{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049207Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:44.203{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66FB588C8D284A91A1B533ACBCB3EB36,SHA256=F1DAB4D97EA30328CDDDE243F7AA2C7F8A33D42DA2E61AE118DB4AACB9F37318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049206Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:44.203{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=289929E96658D62610C943D8BAF4DEE0,SHA256=FC4AFC7D47BB211530171C9E37003E3970A2C7569926B9F10C2DD62C50236514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026381Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:45.695{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3825A6ED5B9EF13AF0817DCB817DFE89,SHA256=9C3AFE582D51E0ED3BBB189AADA0BD238B4CE4DADB54DB2BA0FD9196713E53BF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000049230Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:56:45.473{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=65FDF4C256217C05A3F6AB5FD5B191CCD255928585ADF94F96BB08BDEE378029 13241300x800000000000000049229Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:56:45.473{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000049228Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local2021-09-14 08:56:45.473C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=65FDF4C256217C05A3F6AB5FD5B191CCD255928585ADF94F96BB08BDEE378029 13241300x800000000000000049227Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:56:45.473{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000049226Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:56:45.473{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000049225Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:56:45.473{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000049224Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:56:45.473{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000049223Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:56:45.473{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000049222Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 08:56:45.473{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000049221Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 08:56:45.457{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000049220Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 08:56:45.457{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000049219Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 08:56:45.457{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000049218Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 08:56:45.457{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000049217Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:45.395{C8F4C507-63C3-6140-2509-00000000F001}33285276C:\Windows\system32\conhost.exe{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049216Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:45.395{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049215Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:45.395{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049214Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:45.395{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049213Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:45.395{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049212Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:45.395{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049211Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:45.395{C8F4C507-63C3-6140-2409-00000000F001}24084684C:\Windows\system32\cmd.exe{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049210Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:45.366{C8F4C507-63CD-6140-2709-00000000F001}6660C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000026382Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:46.710{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC00A6751565A2FA304CDDC93AD11221,SHA256=4A6B7484E382BEEF55F7EF190A1E0CADC37326F90ED3C83654A20EE123B1DE29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049233Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:45.278{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50668-false10.0.1.12-8000- 23542300x800000000000000049232Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:46.395{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66FB588C8D284A91A1B533ACBCB3EB36,SHA256=F1DAB4D97EA30328CDDDE243F7AA2C7F8A33D42DA2E61AE118DB4AACB9F37318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049231Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:46.020{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D497D8168975BBC3C7D25D500363E573,SHA256=924C617B6416E52089D71A78AD313A7D443812DA49F5B8F2020C0F384DF57702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026383Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:47.726{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DEAB05EDCD711993529BC6F6B1D4E4,SHA256=E37F486C8021D51AE676569947C0354B03C814365A4C33AB91240E3862287950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049245Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.879{C8F4C507-63CF-6140-2809-00000000F001}56404788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049244Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.676{C8F4C507-63CF-6140-2809-00000000F001}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049243Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.676{C8F4C507-63CF-6140-2809-00000000F001}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049242Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.676{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-63CF-6140-2809-00000000F001}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049241Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.676{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049240Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.676{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049239Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.676{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049238Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.676{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049237Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.676{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-63CF-6140-2809-00000000F001}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049236Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.676{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-63CF-6140-2809-00000000F001}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049235Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.677{C8F4C507-63CF-6140-2809-00000000F001}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049234Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:47.036{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A04E634EBF0ACD8B26480ED976BAF4,SHA256=889B05A649A46430195FE6B3C23A55AFB6A866C000C1459EA50570AB26EF4472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026385Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:48.741{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B015C6F42248EF85FEE40C5EBA840F44,SHA256=6DC060635433391BDDCCD74A9E902207F43A82E74A67CBA107CA17AF2DFDDF9E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049267Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-63D0-6140-2A09-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049266Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-63D0-6140-2A09-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049265Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-63D0-6140-2A09-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049264Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A659275A0FEA4B513E7E7F89C01DE164,SHA256=B9860CB31D19F2DA0CB8EEBFF1565E7B7785A52E73DECFE9893B4FDC1E4469C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049263Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049262Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049261Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049260Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049259Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-63D0-6140-2A09-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049258Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.879{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-63D0-6140-2A09-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049257Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.880{C8F4C507-63D0-6140-2A09-00000000F001}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000049256Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.207{C8F4C507-63D0-6140-2909-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049255Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.207{C8F4C507-63D0-6140-2909-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049254Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.207{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-63D0-6140-2909-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049253Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.207{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049252Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.207{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049251Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.207{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049250Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.207{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049249Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.207{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-63D0-6140-2909-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049248Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.207{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-63D0-6140-2909-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049247Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.209{C8F4C507-63D0-6140-2909-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049246Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:48.067{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603FE87DC63D57ECDBC8069904C39765,SHA256=16A9678D6C795F4B00088F54F57A24A8CF356F3BF7FE29856361CE5CA58AD5B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026384Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:44.800{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026386Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:49.757{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9BFC4FA93C2DA4F8B9782C552AE83E,SHA256=DF58457B15AF0CA47CF7689798F6BA809373292E5EA2C0CBF7FC38298510DE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049269Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:49.895{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC700CFE16D36BC92C4B918ABD14B43,SHA256=FAA2245D05919FE481DCDDF1A9149514403F0A60F4BB558A17D789CCC3262960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049268Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:49.098{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDE84F55F0CD115D44D865844B346EF,SHA256=11C1F5C83A060E3E0396457323A23501D997D96BEC2400BBDE6D8D2A266DAC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026387Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:50.773{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF7ECD6CF04DD5E04168BEEADF7FD86,SHA256=94375A5F7DD89ECBC6C26A69975DE475CCD7463E57B2174E7F759289411A8D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049270Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:50.129{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A53238FC2B2789A79F53B966EE3656,SHA256=E71209F4F26F1A4F49857AC1B53E030E3F4A37D3C2B6E48CE8B281B944D9C386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026388Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:51.788{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD95D5200CCF7C1A18DB233CBA5131D5,SHA256=619EEE1B9A05652175202977D6F46D27BFC58F7002E8EDD9623BFFB71BAF8D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049283Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.614{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193E6A418E5848D8854E4DE3F5B8A8FB,SHA256=1F6DAF22199E11BB442F36F413E9DE7AAA550405794A3C733574149C339F87AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049282Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.489{C8F4C507-63D3-6140-2B09-00000000F001}43206976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049281Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-63D3-6140-2B09-00000000F001}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049280Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-63D3-6140-2B09-00000000F001}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049279Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-63D3-6140-2B09-00000000F001}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049278Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049277Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049276Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049275Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049274Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-63D3-6140-2B09-00000000F001}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049273Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-63D3-6140-2B09-00000000F001}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049272Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.333{C8F4C507-63D3-6140-2B09-00000000F001}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049271Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:51.145{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0F87CCE112CBFCDD658F37C4AD86EF,SHA256=9881012120BB54217F73A583CC4D1D004D437D0DB62038F03FAAB6DD5BB036D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026389Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:52.804{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082491C00426417FCFD4682B8F2D00DC,SHA256=05E19BE2990BDDA420B6F0DF6006A722D74942FFF29D9EF186CE20212A8960E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049298Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.723{C8F4C507-63D4-6140-2C09-00000000F001}61645804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049297Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.551{C8F4C507-63D4-6140-2C09-00000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049296Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.551{C8F4C507-63D4-6140-2C09-00000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049295Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.551{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-63D4-6140-2C09-00000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049294Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.551{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049293Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.551{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049292Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.551{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049291Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.551{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049290Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.551{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-63D4-6140-2C09-00000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049289Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.551{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-63D4-6140-2C09-00000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049288Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.552{C8F4C507-63D4-6140-2C09-00000000F001}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049287Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:52.145{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5D736D3F8B6E4A7295B165BA9D43AB,SHA256=B2D488BCDC6777D513501E94F16B473BB8FCEE36CF1F5988C11CC1C420281435,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049286Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:50.716{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50670-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000049285Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:50.716{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50670-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000049284Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:50.356{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50669-false10.0.1.12-8000- 23542300x800000000000000026391Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:53.820{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6F56E803D35CCA0EC15ECE939C1B7B,SHA256=CE22077BDFCD694B523D8FFB55B4BB91EBD0A1178D2A1816C06643B04804B734,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049321Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.598{C8F4C507-63D5-6140-2E09-00000000F001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049320Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.598{C8F4C507-63D5-6140-2E09-00000000F001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049319Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.583{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-63D5-6140-2E09-00000000F001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049318Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.583{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049317Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.583{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049316Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.583{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049315Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.583{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049314Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.583{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-63D5-6140-2E09-00000000F001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049313Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.583{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-63D5-6140-2E09-00000000F001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049312Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.583{C8F4C507-63D5-6140-2E09-00000000F001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049311Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.567{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8305AF4851BABA029004C55C48D4D650,SHA256=16F045771824E020CE90DCFECE171723583DB5479634C18ADE47A46941A6A41D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049310Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.286{C8F4C507-63D5-6140-2D09-00000000F001}14964492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049309Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.177{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF2E9F16FE0243FB04215B82B56EC1D,SHA256=C78236F9EEED2AA9B6837F15C04F42FB569ABD7819F4C4614CD637826B1F5D48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026390Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:50.643{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 734700x800000000000000049308Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-63D5-6140-2D09-00000000F001}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049307Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-63D5-6140-2D09-00000000F001}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049306Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-63D5-6140-2D09-00000000F001}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049305Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049304Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049303Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049302Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049301Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-63D5-6140-2D09-00000000F001}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049300Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-63D5-6140-2D09-00000000F001}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049299Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:53.083{C8F4C507-63D5-6140-2D09-00000000F001}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026392Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:54.820{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C942294F46D602B4D1DD9558322186FA,SHA256=AE3479886CCE8FB9125A8CFB038EF0101BB32B848128A0D5B053D5623FB1CFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049323Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:54.583{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B4E1AFE0FBA74991C9480604B7D771,SHA256=61202D438EFF22F787318BB11D8265848BD5E503DE3B5333EB34FE42A27F4B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049322Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:54.208{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BE6ACC2476C4FBCA0A4503BB93C0AB,SHA256=B5A787F26CAA18BE18427A1FBFE26ED8EFB1D688BD3D54B973861DB0DE8DA70D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026393Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:55.835{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F881550BE04719C9A75DFDB29DAB348E,SHA256=43372D26D637D45D0C813B17510B1A9094C776E42D7816673E4343BE69B1B5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049324Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:55.223{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20952D546F1613D7DC449E969FD68B94,SHA256=250CF3BD211851094098A316CA7B266168ED2F02EFDAC40E49A1E5947F657092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026394Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:56.835{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94B1DFF6AF6DDF17A790BF793BF0B17,SHA256=4F784D8B5BB75AE5985F7073323FF51B4FCFC6846EBB57135718BCB2C1930DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049325Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:56.239{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C96D5EDAF621442BC3BFFCB2DF8EC0,SHA256=91A3D0CA2A8A7F072191B66DB6C2E59C882B7FB61E4F97C699914EE04CB6E3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026395Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:57.852{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5C27833E8D386F7CFAC11D7CDED883,SHA256=BBF404B0D24D59DCB6FD7CED7AF3077FA29C119DCF69519823CC7EBC60D96127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049326Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:57.254{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A09FD3E27703C6E424C41B2459BA2E,SHA256=C60048D81B399322F3C6B48BD64BFD7464398AFF54409A857F5DBF8916C54E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026397Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:58.866{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A81E86ECCF74EDF8E4CBDDA953B5D5,SHA256=654B7458BE39606FBF0905D6980CAAE0154ED804861EFCD62E32286595BEFD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049328Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:58.270{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD8BE46D316E2FEAB3025663CFB65A0,SHA256=47579B797E45E3273B19E8E7171A7DCECDA875A2218C06B13F1BC35AB911BAFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026396Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:55.736{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50970-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049327Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:56.325{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50671-false10.0.1.12-8000- 23542300x800000000000000026398Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:56:59.882{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459C142757A12CB0ED9173AB95AACD6F,SHA256=7BC547259A4B9AAB38262788C955FF73A4F5585E3D1CD1482217042ACA369832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049329Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:56:59.301{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EE82776511A1EE3B135AB26F9B2174,SHA256=B7DE6D06DEB6DEE43ABF04D984D42227BF9298465BD9AB95C51902648E62F765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026399Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:00.898{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9C279753B93C5C4C28101134FFA3A8,SHA256=CC400C28913B9846D368A0E356644AEA90B849662F8409C7790B2FA9C138C4DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049330Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:00.301{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AC645A7FF870FF339F7AAB7D3E207C,SHA256=8D7E66213535515287A9F851F3AF9A63542AC52417DFFA500DE7B26C397B2762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026400Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:01.898{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F7B018AF376EE81593E7821CC13417,SHA256=D24DD3197EFAE755342BB3EA6DC2120CA8F6E877CAB37B3EAE434409B749BF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049331Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:01.317{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B408AE20BD8CEA6BCEA94385D3DC246,SHA256=AD9BE1260D0F5CF233EEA6C5A6EAA7F97895F8FDAE4116D87F409527D4E8E724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026402Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:02.913{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BA120CB0391A501A6D0FE8AF89E250,SHA256=B666B1B9474E6ABDF720F682D6BA87D385D3A6139B4846F56E569D6E03F49996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049332Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:02.317{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA5E7B36544F594F61E81F7F4671F5B,SHA256=8A052EA1A687DA1CDAEDF4C9FF8B06055EC70069E782A5957F4F31AFCEFEFCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026401Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:02.632{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CA7677EE95582B958DEBE8A07BC5DB59,SHA256=92CB47ADFCDCFE630865C5F6B1A7BF369893A7BAE3BBE8C31A2BD87D8B2A05AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026414Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:03.929{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027D738D6259CA3822A324371414E04F,SHA256=7CEC8B909691A7A355F58DCA3ED91C0014731A9DEDABAD3662BE89B597047017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049333Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:03.333{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A678AC0461F74A028DF15CE22C4E75,SHA256=E4D50D22B28CB225BD24A8493349BABAB6C1C529C37ADA71BECF918B08AAC4BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026413Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:00.783{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x800000000000000026412Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000026411Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e625a) 13241300x800000000000000026410Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93e-0x1a82bc1b) 13241300x800000000000000026409Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a946-0x7c47241b) 13241300x800000000000000026408Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94e-0xde0b8c1b) 13241300x800000000000000026407Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000026406Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e625a) 13241300x800000000000000026405Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93e-0x1a82bc1b) 13241300x800000000000000026404Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a946-0x7c47241b) 13241300x800000000000000026403Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 08:57:03.288{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94e-0xde0b8c1b) 23542300x800000000000000026415Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:04.944{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DEC3154BD3D6C8CD397696BD848428,SHA256=927B9B4DBE7114C29899559BFD22B1F25371B7402E0182ADF836FC0A37166D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049335Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:04.364{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889211EA0C5423D65972D7A30139AFD,SHA256=488EAE052B825A0DEE5E004294F218C8D9475E8C6A9962890F434625F6582948,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049334Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:02.184{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50672-false10.0.1.12-8000- 23542300x800000000000000026416Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:05.960{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C604E7045CCEF862459C3F7A35DED6F,SHA256=F115EA231CC040282D40CBFB8ED928283812188D7D3CC0BEC3AD4EFE90E0F089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049336Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:05.395{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41000CB49BDE1940905A79F442848AD5,SHA256=CDFE568F0CC0FCA670EFDE4F627027C518D4D69516FE358A94C3722559393636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026417Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:06.975{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE634FDF15875A8D95C2E696B6ADEE44,SHA256=CD33FC33AEB8E7D84AAA145F80185812F971D2E911C8DACAEB9757A35AED5D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049337Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:06.410{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1377BBCD54170C24629C1905DD10125A,SHA256=B80DD2E4BF2A9BC76AF3FF3CFB0B70E0A1F7544ABE185823609E0883158B7530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026418Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:07.991{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FE878249D7F69F7256BD93EEC3DABB,SHA256=365CE980D3154FBB82E5DCFB8E0688C56148472EB0D039999AD4732DB4DBD8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049338Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:07.457{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEA13CF3660F28E7EC00E87C64CBBB9,SHA256=D0D3B3444FE0C57BFAB54375BCC0826F44A6EAA1F3CAF2C6D6467829D292A61B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049353Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:08.879{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049352Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:08.879{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049351Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:08.879{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049350Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:08.863{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049349Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:08.863{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049348Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:08.863{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049347Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:08.863{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000049346Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:57:08.645{C8F4C507-4938-6140-1200-00000000F001}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000049345Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:57:08.645{C8F4C507-4938-6140-1200-00000000F001}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000049344Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:57:08.645{C8F4C507-4938-6140-1200-00000000F001}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000049343Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:57:08.645{C8F4C507-4938-6140-1200-00000000F001}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7a946-0x7fba7ba7) 13241300x800000000000000049342Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:57:08.645{C8F4C507-4938-6140-1200-00000000F001}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000049341Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:57:08.645{C8F4C507-4938-6140-1200-00000000F001}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000049340Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:08.473{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34E2884A5A8F86D85BDE1BF89BF3816,SHA256=76EC5E9D32C7A57455EDAC0EAA04B322B10F2F700D51B9251B7D119FD11E9DD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049339Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:07.278{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50673-false10.0.1.12-8000- 23542300x800000000000000049354Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:09.488{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515E8EA97207F62C912305E19AB4EB8F,SHA256=CE0D9B731688429A8399B0DACA346F8CDCC2B1FBAF5F1C902B2F1426BAB95CBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026420Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:06.798{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026419Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:09.006{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1174A46C63A441BA258530E327F7BBA1,SHA256=78E28354119D35B944FB5375429A2BA93D816714C72D3A9085412C5D4005BBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049355Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:10.504{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3D95684CAD7CB1BEF478A5F311D4F5,SHA256=8CB655A4DBFDC5D06F2AC49DB1B7362EAA1ECCFF296A0FD9E6922624A235EE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026421Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:10.022{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D4BC228D5114562F2AAD89E9E0A33B,SHA256=118027518A4D8D43E2109D5E970390C89A434D193D4A26C99B174A85A7A964C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049356Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:11.520{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF6BA5025BC8A0EE3CE2B1FE771AF79,SHA256=768B151B83C234F4E900D5FC300CC4985A6BA2FE25BC3896003B1A54C985CE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026423Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:11.710{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026422Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:11.038{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBD50B1E1DC58952ABA39EA32F96B70,SHA256=81BAD2992BCDFB2A27DEE765A5EFBFF917B3B8A6F789A6EAC12A12BF70B372C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049357Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:12.535{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF967D00F1BE7D6880928FE037842DA4,SHA256=1EE7C5409A67C4426409748AACF78D0FD642D506C76059FE75DAA51C42791A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026424Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:12.053{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DD14D5D438234F88FFD8EB9FA9F175,SHA256=C5B5812619A8D505FD33C0089AEB554184336B6093DC1A4F3F89D09D7A01B0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049358Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:13.535{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FABDCE51D7CD2C576A1424B33DDDEF,SHA256=C9D22DDAA6FFD48A28E372CACA8973AC484D3BA4631D402797629BE45A3D6168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026425Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:13.100{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275571EB7F599E79F91B210DDF29EA19,SHA256=643474D54D956A126A80B247FB3AF6449667A55A0C4031A0B5232B4A5294A475,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049360Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:13.262{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50674-false10.0.1.12-8000- 23542300x800000000000000049359Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:14.551{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52296A052BD64F76E602DB11206D66E7,SHA256=535B3165281CDF187E2BAA411F11FF54AB18AD3230CFC5189BD6EBC32D2793DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026427Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:14.131{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE91FB2D130419306A9651A2FB4401B,SHA256=CC4EC2D49921CFC68C0EA506B868F6D4D1172547DF56DAAE735E0C035030E86F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026426Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:10.251{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000049361Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:15.551{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C31222E1A5FCB1BB810ABA03218A56C,SHA256=1B1FB045C64D147BC37EA5A6DCD86F61EEE96E55E84D711C728C2CFCF842A4C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026429Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:12.736{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026428Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:15.194{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FF16109277BFBB3F46E0F3E9A69BCE,SHA256=DC5A926D829AE9C6CBC9633A9BAD264D395C9D2C2F5D2E4FD629A8534091F238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049362Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:16.582{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B69ADA8392D1A398CEE5569FB540A0D,SHA256=106804E9798CAE2C15760ADE2C1DFBE214983DEA2AF187CA2CAD818F452E6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026430Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:16.413{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB822924DDA5112BA5B2C57D9A4D631,SHA256=C7CF1506B1A883D4D13D951B8F978096A4EB71B4F219D27359127C33E6C8F9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049363Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:17.598{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD413E807D0D0B8FE4D7BA779ACCD23B,SHA256=FEB5D80EF37165F2D04ABE78C63760B55763CACEF06AF5DE0A85C1E433B45191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026431Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:17.460{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F893DC2DA75EB96FAC9D6C31EB36EF28,SHA256=A45336D4DE81828BDF800063774FDFFC9E804324880C69F096A8312461B4B246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049369Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:18.645{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A10ABE01375F09E484059F0B813C35,SHA256=93A3A2AE61F63154476BB48AA5D92BA33AD04378D42D84E22E779DECB78E82D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026432Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:18.522{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70EE45B1E0505F7423BAA512E99B3F5,SHA256=DA36B0106E0957B4A8956A1818B94BA27CCD6EA6BD66B181EDAD494B989079D4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000049368Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:57:18.067{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXEHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B8CDCB65-B1BF-4B42-9428-1DFDB7EE92AF} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000049367Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:18.051{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049366Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:18.051{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049365Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:18.035{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049364Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:18.035{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049371Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:18.324{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50675-false10.0.1.12-8000- 23542300x800000000000000049370Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:19.645{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55EC4552537C93D7B387B15B75E55FC2,SHA256=4C8A01711FCB409A801F1DA9E36F41FEC69808427B5754F198D06BB8194E0D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026433Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:19.538{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E67CF440473894F52CA40EE9660D909,SHA256=DDCCF6E9AE50844F3EB108C2E1E85D890B46AD38AF2623F3B5316AE82D56B200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049395Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.660{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FED31C0A7A2143F2CCB60FFC921C74B,SHA256=FE84E7E1A1897204878B394EEC33E4E847DB291EE6A437867E0C4629C8900C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026434Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:20.553{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639F1D77B841FD2535DFC2EEC5FB3D78,SHA256=6EA1CE0A66DF6236091FB1A64F4E49BA0C0A10EBFE5CDA15075C6FA323B6E120,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049394Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.582{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049393Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.504{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049392Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.504{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049391Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.504{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049390Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.504{C8F4C507-5C87-6140-B607-00000000F001}33724328C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049389Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.504{C8F4C507-5C87-6140-B607-00000000F001}33724328C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049388Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.504{C8F4C507-5C87-6140-B607-00000000F001}33724328C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049387Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.504{C8F4C507-5C87-6140-B607-00000000F001}33724328C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049386Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.488{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049385Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.488{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049384Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.488{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049383Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.488{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049382Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.488{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049381Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.488{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049380Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.332{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049379Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.332{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049378Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.301{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049377Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.301{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049376Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.301{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049375Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.301{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049374Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.301{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049373Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.301{C8F4C507-5C87-6140-B607-00000000F001}33724744C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x800000000000000049372Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:20.294{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap5560:40:7zEvent5983C:\Windows\system32\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF,IMPHASH=9CF6F80DD6DFE9900700C1E11C318B2A{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000049399Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:21.692{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C663DB20F834B76F327EFD65A4014EC,SHA256=327B44F8897EC4C7C3B9E6E28179F454011ABB3CB8B557F545B7C6E5F585B0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026435Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:21.616{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9309C754F2B4E464A36E606A17D9EA89,SHA256=AF897D3269FD1A6413A18280394CB141ECF6666246AE2B76CEC033850B4C2A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049398Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:21.317{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52A1AE214112B59842448638C43BE02E,SHA256=6E7A02217B0782700CE31BA0E7B07C5EBCE6E6392E01ED4079644D7E806EE2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049397Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:21.317{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC266636DFD4372567899F0FF0988898,SHA256=0B1FFEE4C5B2939B09F229812754BCB2D2EA3A00698E99E1DE271FA102C17EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049396Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:21.192{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0162A85A16B62290AD95F51FDBCD3CBE,SHA256=9D190601864BA5A7A7436640E2226C747168F929FBDDE0F86322D2D0DD2FF79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026464Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.883{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2017E6B47B740A90D46BC956570C1B42,SHA256=873AA2BDB0A6709E8102715DC64B317F7C6F5302DECAF023C25FA33029949E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049403Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:22.692{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD268057B08BD24F12253DCE996D44E,SHA256=03040422B653665EA8A3003B79E645A307C9E2908813686D6806B3681BEAD7BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049402Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:22.660{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049401Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:22.660{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049400Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:22.660{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-63F0-6140-2F09-00000000F001}4116C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026463Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63F2-6140-8406-00000000F101}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026462Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026461Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026460Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026459Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026458Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026457Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026456Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026455Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026454Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026453Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-63F2-6140-8406-00000000F101}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026452Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.819{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63F2-6140-8406-00000000F101}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026451Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.820{4A7D70D7-63F2-6140-8406-00000000F101}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026450Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.335{4A7D70D7-63F2-6140-8306-00000000F101}33122024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000026449Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:18.720{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50975-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000026448Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63F2-6140-8306-00000000F101}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026447Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026446Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026445Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026444Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026443Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026442Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026441Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026440Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026439Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026438Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-63F2-6140-8306-00000000F101}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026437Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.147{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63F2-6140-8306-00000000F101}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026436Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:22.148{4A7D70D7-63F2-6140-8306-00000000F101}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049404Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:23.707{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D1986A457FDF3B3CF56E1473A4F052,SHA256=790A7DD3842A5E25174E6721254C5BD5EBA3F813AED580874B87157B5FD6DCA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026479Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63F3-6140-8506-00000000F101}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026478Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026477Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026476Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026475Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026474Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026473Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026472Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026471Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026470Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026469Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-63F3-6140-8506-00000000F101}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026468Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63F3-6140-8506-00000000F101}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026467Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.491{4A7D70D7-63F3-6140-8506-00000000F101}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026466Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.210{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3071C4BB046AA52914FF5988BBB334CA,SHA256=A9D41D24E4A71A23BFDC108DF17992E2358AF48CBA2CA839A4D64490EB15BD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026465Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:23.210{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=630556ACB0B2ED248AA791D34239E530,SHA256=DCF7F1289166752564C0F22C960DF794EBA88D2F8962BD33B1AB508076A34881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049405Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:24.738{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC503F315F17F976FA4E601F7ED96F3,SHA256=73552A138608626ED676F1E958E1BC320A6D7FD44D2C06D4E3F26DD5C455767A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026481Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:24.710{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3071C4BB046AA52914FF5988BBB334CA,SHA256=A9D41D24E4A71A23BFDC108DF17992E2358AF48CBA2CA839A4D64490EB15BD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026480Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:24.116{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856BD3381CA97D5910ADF359F90B3222,SHA256=F6F44E69C72436548B4CFB5307977B6CA78F5588C70944A6C7E680BCA3565CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049406Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:25.766{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A289172BF431DDA3EF7DF992CB766651,SHA256=FDCA3E7F41BAD45EBFB3B2A1D6B2F2C65DAB290FAC6A28DE5C85104DE5E22348,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026496Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.534{4A7D70D7-63F5-6140-8606-00000000F101}3736736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026495Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63F5-6140-8606-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026494Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026493Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026492Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026491Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026490Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026489Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026488Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026487Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026486Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026485Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-63F5-6140-8606-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026484Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.393{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63F5-6140-8606-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026483Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.394{4A7D70D7-63F5-6140-8606-00000000F101}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026482Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:25.128{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001736B83B144B7390172A02AFD1ABAB,SHA256=1100D046566635A19CA47FCBEBDFEC42330C1C8867390C326A716C5D35D836AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049408Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:26.783{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D168D65A571DD67383A75B6F5867B0,SHA256=090A7115322AB4FEAA4E782520764D3CD7B7BBCF672E788B848D95848EFF3BDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026526Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.743{4A7D70D7-63F6-6140-8806-00000000F101}37483228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026525Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63F6-6140-8806-00000000F101}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026524Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026523Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026522Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026521Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026520Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026519Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026518Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026517Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026516Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026515Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-63F6-6140-8806-00000000F101}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026514Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.565{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63F6-6140-8806-00000000F101}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026513Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.567{4A7D70D7-63F6-6140-8806-00000000F101}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026512Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.549{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C8198ABE77F936C99671783885E2CA0,SHA256=0BECCCA88AF79F0E87F78448C9A00744BCD775C15A5EACD475A4284BA5152F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026511Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.534{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5AD09A1CBAFE7F7B9DA02794CF2B3B,SHA256=D10C172A6ECFA0CC7B7E3D96DAA1B50F74A845BBD726B37D18C471AF62F83EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026510Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.222{4A7D70D7-63F6-6140-8706-00000000F101}5242908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049407Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:24.246{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50676-false10.0.1.12-8000- 10341000x800000000000000026509Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026508Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026507Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026506Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026505Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026504Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026503Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026502Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026501Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026500Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63F6-6140-8706-00000000F101}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026499Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-63F6-6140-8706-00000000F101}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026498Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.065{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63F6-6140-8706-00000000F101}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026497Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:26.066{4A7D70D7-63F6-6140-8706-00000000F101}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049410Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:27.792{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44416C19AB2450DE937948959A57C00,SHA256=DB048E42FF923018A1D78A0A63994841A7612C7C084DFA5633773A3396C6A6E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026542Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-63F7-6140-8906-00000000F101}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026541Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026540Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026539Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026538Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026537Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026536Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026535Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026534Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026533Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026532Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-63F7-6140-8906-00000000F101}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026531Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.721{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-63F7-6140-8906-00000000F101}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026530Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.723{4A7D70D7-63F7-6140-8906-00000000F101}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026529Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.596{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A4A0613A16EE9BEC31E0D13212BF244,SHA256=4E1BD85DB932BFB754DE03384A314649248C94F648B2109222A4C4A5D18E6BE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026528Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:24.639{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026527Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:27.268{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D26E67F3CD02349FEF7CCB4E84E5FF,SHA256=56FEBC6344B27C264268B596E8EE88D630847C8DE114696BE14EA2A2976E3EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049409Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:27.097{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-110MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049412Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:28.808{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00C087053780D7C4A31D9210C9761CC,SHA256=E00E37E3B4AA9C12ECA54143F708C56EB24B035552B55934CA0D6F52CEB6CE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026544Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:28.737{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F1E806FFF55A0EE4BDEEC8FC98B049B,SHA256=0C6CFFC7F7C44FDC7C0FC2FB799461C6FE5CB32F054AC4E10EE4726FF175CEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026543Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:28.284{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A80561463DA8A843322F9DCA6BC6CE0,SHA256=F2A0632966AF7B32C6C3D581BAD47395CC84049C771116F145B42F80BE7CAE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049411Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:28.104{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049415Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:29.824{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0F19D8E8E16B8CE84C8D5909657D1C,SHA256=E33296AF0D74F90DE937365C55146CCDCFD2D03CA4B9FA2DD5BAC451121EEE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026545Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:29.299{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9146C27B97B807463EA4B74666ED1589,SHA256=DE700AE104E7D263041D7C7D6FC666E7F919EE12A37737851B2364B76DEAAD3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049414Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:29.105{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049413Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:29.105{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049416Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:30.855{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FEF8A67A3F438F5D0A5AA57F23A1A0,SHA256=CC34FFC73C14C8DFB829FE1B35F4A64F74CC2FC768BED2708FAC4851EDA538E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026546Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:30.315{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AFBD3476D5C4C328B38C01D3B329DC,SHA256=A52F58B8968BCC1C4E896D640D8C18B15486352714074240F84CB4E0EA1BCE31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049418Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:29.379{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50677-false10.0.1.12-8000- 23542300x800000000000000049417Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:31.871{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ED99C30E808ADE6CCA98A787062D58,SHA256=B4A06B3D4DB2705AFCCA43D3D37EC202BB1D0E252BBF786E312AFA0AAC043D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026547Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:31.331{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD84623CBC079E570D36628DBDAC7AA1,SHA256=150B6AB4B4D8508789AD3D4731E1BE25CCFECCCB96DC52A348ACA132E119F867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049419Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:32.902{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E466838E6680E0B0652210E5EAEDB7,SHA256=0CC30538F0B8E84D7DF72A9BFAA4ACFA5ED7F139307F417E2FEFB966DE8DA00D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026549Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:29.669{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026548Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:32.346{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80727117FDBE929EB83BFAFC1DE48890,SHA256=01BC2F6BF2750FE12CAE2A2236A69FC5625AAD024D87656A929028C6FF0D62BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049420Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:33.918{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2FE69E728B89AB8F01FD4AFCB4D52C,SHA256=7DD71166EAE1212C4298EEA57C0A5D3FA872F241663E82C95D0DDCF530F2D130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026550Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:33.362{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4113052445D41D98C52608245DA78693,SHA256=364AABF3CEFC679E29C3E893BD0EB6FD604F40DE0659EE5F9A00F75027552247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049421Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:34.949{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F951EA05397349DF5DFC6242E61E4011,SHA256=9D76E6A78B919D5598DA815F1215C1D437DA2D72ED848E40B242DF716F4FF82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026551Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:34.377{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C87214B693E41FEAC67507BC123245,SHA256=CB5311F29C28AF8CD16A6B1899D27D8A1C1B1553F23315F2C198BF8C3794FEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049422Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:35.980{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C35947F3E898C38234085C223A637C,SHA256=6C4E4B3E54453C356B740479DE59AAFD0D7038FA00F7391B13537E5DB21F42D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026552Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:35.393{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6696A1EDEBC31F57A10D81A8E0D38E,SHA256=096C8F82B7CB3E02B953B1644FDFC9D2D6B3D8A1B0D85AC18E165F20E6900734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026553Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:36.409{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA84A8BB693F5A6D0FBCDA698210204F,SHA256=5560121582595E90CCE12123038CC45E5E0FD77ABBECEA64BFD9F74C5CEA1147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026554Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:37.424{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F4F93981B29C92CFEF155689044582,SHA256=4DCE0632C2F0DCB42DF2A4AF45F50024615B36CAF6C0368B2256720997580E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049425Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:37.137{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049424Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:35.129{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50678-false10.0.1.12-8000- 23542300x800000000000000049423Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:37.011{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727081159CB50BE9EC40C4159B6CAE99,SHA256=0C06408DA663D3AC8892B350A8F8B1B50CE9DB5762AFCA2B582C4F459BD24F49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026557Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:34.716{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026556Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:38.430{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4971D82C4BA92FEF800EF0BBEEABD069,SHA256=0A4FA755D2FDEC6EB31A58C316B7CEDDF329CD88820A7C1939630C485921A762,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049428Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:37.239{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50679-false10.0.1.12-8089- 10341000x800000000000000049427Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:38.293{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-5C85-6140-AA07-00000000F001}3848C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049426Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:38.027{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE812B8B8DCC283A7D4EBE228BD426D8,SHA256=6F0C28FF5FB55CEBCDFC01DC7DE4FE563D7D8756EA03490EFA4BB650F34F38DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026555Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:38.230{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-100MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026559Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:39.433{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0560998B9603015DF685FAAFE9452B10,SHA256=E3AE78A2667DD4158BDB3989111756FC60AE8F9DD546F717412579B1E7A1CCFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049429Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:39.043{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80591403FA078D26FED90BA9E132BFB,SHA256=2D2E69411FCE40E708A3A6EEC3B45311DDBC442E30B393BFAE037F3B1B5698F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026558Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:39.228{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026560Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:40.435{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D519C490F1E97595F2F634EB40755C,SHA256=03B7ECEB08A6B44A90D5F7C395BE7E0DE69C8AF5CDA28C12345C41425296D6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049430Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:40.058{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA89C1A5D6016EE10AFC596CF778E572,SHA256=06F373B28CB5D30FCEFBBC965B45BB49D047260D4ECF3875F22BFB167B64F9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026561Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:41.452{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22F4AE09E48FCA818A98FAE23AD4C4A,SHA256=B01CB7BDAC299932255D2C59EE79BBA49ED51ED447579299D9515C6E789A99A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049431Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:41.058{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D648F60B57DE5B78BD0151659CB2911,SHA256=BE988C80A115439F4BC91CF7C24FFEC13B13DDD2670A5EF8048C2F428A347138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026562Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:42.466{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123F4C6639FC4E293B1921867C369969,SHA256=889A7BB5E0B34F2F792F19B6B716EB0D3A44F034458C3C1C3D37282AD08E4A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049433Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:40.269{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50680-false10.0.1.12-8000- 23542300x800000000000000049432Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:42.074{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC94D43651870229C377B7CF511E1D2B,SHA256=CCBE67E1E1ADA1596912FFD2D8102B8531EEA9820628BB62ACA42A7FFD43B586,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026564Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:40.711{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026563Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:43.466{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DA6553ED6DA5726BF6365B0ED95911,SHA256=8D6C2097F5B6E35B9A7200BA51DDB68DD56E95B5CEFCBC1E018F89B77C0FBEED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049466Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049465Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049464Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049463Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049462Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049461Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049460Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049459Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049458Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049457Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049456Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049455Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049454Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049453Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049452Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049451Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049450Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049449Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049448Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049447Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049446Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049445Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049444Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049443Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049442Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049441Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049440Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049439Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049438Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049437Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049436Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049435Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.824{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049434Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:43.090{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EC56FE907E3410E5723E7A86ABFF3D,SHA256=D44E5F63CA4911B630909AA129FAF48D84B7B121FDFB60A50CEA1F47F74A4A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026565Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:44.482{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55ECA9BFC38C6464F97266F622989C2F,SHA256=C8E8D429C9CD1225C25DDBB720667ACD2787C286A958F5E05D6C19935883F9E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049467Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:44.215{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C1FDB6CD7572ED6EE28210304DB127,SHA256=C4C5D967FEF9C537B0F392273F659C6B5417468AE81191BFEB6FC799C74C1DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026566Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:45.487{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811CA9325DD60AFC24F389B1A297A95E,SHA256=685B063F1E47F19D207397A9ECCAD028139C824E4178B45372ED201BED2DF41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049468Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:45.220{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF70517EEB791D5C1A03FECC5FB5E44,SHA256=6671ADE74F9381E183FA5571374A584744BEE7ED11B36DA63372DBC96E327ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026567Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:46.503{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF04AFE59B93C3C452784B241D54F7C,SHA256=A800E309419F18CE27ED13A36AF4E1EF0D179635411F2A672D8C1EFA447AD59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049469Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:46.454{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27C938A61AA5A61D556D918CA05BCCB,SHA256=6FE6F31970971E4A28D6A4A0DD97B46FEC900202636CAB79A837494230FD55A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026568Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:47.612{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DD136599D488D51E336C684BA48011,SHA256=B4A8C7DE1EE2D501C7DEF36D689DEA4B3353D989B2D655F1A99EF36C0C388496,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049481Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.626{C8F4C507-640B-6140-3009-00000000F001}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049480Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.626{C8F4C507-640B-6140-3009-00000000F001}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049479Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.626{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-640B-6140-3009-00000000F001}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049478Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.626{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049477Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.626{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049476Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.626{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049475Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.626{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049474Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.626{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-640B-6140-3009-00000000F001}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049473Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.626{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-640B-6140-3009-00000000F001}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049472Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.627{C8F4C507-640B-6140-3009-00000000F001}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049471Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:47.454{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DC027654139928A1C08D4F9717A90B,SHA256=77CADFB5510DDAEA1942A6EEF10B7F39A2AAEC39B52969AE5B2B8795BA723419,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049470Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:45.290{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50681-false10.0.1.12-8000- 23542300x800000000000000026569Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:48.628{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6817BDF7BC97B30258FE6D99037BEEA,SHA256=445920F03433212BE2E9B5D0A744596924B618107CD443C83600E19E52829B26,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049504Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.813{C8F4C507-640C-6140-3209-00000000F001}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049503Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.813{C8F4C507-640C-6140-3209-00000000F001}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049502Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.813{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-640C-6140-3209-00000000F001}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049501Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.813{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049500Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.813{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049499Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.813{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049498Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.813{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049497Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.813{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-640C-6140-3209-00000000F001}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049496Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.813{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-640C-6140-3209-00000000F001}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049495Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.814{C8F4C507-640C-6140-3209-00000000F001}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049494Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.688{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25AD6C5403CCC382047B1678332DD12F,SHA256=2115B3DC9E1A9C9CE4D0DF7D36E8A42F1CB8D6A16A96723BE3E8AFC5DF8E10E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049493Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.688{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52A1AE214112B59842448638C43BE02E,SHA256=6E7A02217B0782700CE31BA0E7B07C5EBCE6E6392E01ED4079644D7E806EE2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049492Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.485{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7975A0D192410A5F238FE966A4FBF07,SHA256=5815874404FCD71CD242F87311EFDE39E10F7B85AD6FEE4C6504602E94346037,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049491Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.313{C8F4C507-640C-6140-3109-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049490Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.313{C8F4C507-640C-6140-3109-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049489Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.313{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-640C-6140-3109-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049488Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.299{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049487Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.299{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049486Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.299{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049485Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.299{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049484Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.299{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-640C-6140-3109-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049483Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.299{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-640C-6140-3109-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049482Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:48.299{C8F4C507-640C-6140-3109-00000000F001}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026570Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:49.628{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC585B834CE260A57738EBBF8BC09BF,SHA256=7EFD061C43B5C931B02ECB3AF4358E48CBEAF8E6F66E3EB19496CAF8D8E77037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049507Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:49.813{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25AD6C5403CCC382047B1678332DD12F,SHA256=2115B3DC9E1A9C9CE4D0DF7D36E8A42F1CB8D6A16A96723BE3E8AFC5DF8E10E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049506Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:49.595{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDFB93D06222A97EC41CD4CF848AF85,SHA256=C9ECFB337AC6A7741741FE9D834BFFF4A4DA750629620DB891A642F5A092E3A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049505Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:49.032{C8F4C507-640C-6140-3209-00000000F001}44684004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000026572Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:46.638{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026571Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:50.691{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC708685C76EC9391A0D0E7B05161DE,SHA256=ED75F62EFCB829F810964AB6AD47F90155FF2A420C2AA981A484AF82F5BE76CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049508Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:50.610{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3E02A740B0D8F838A9090EB599D18B,SHA256=5F9F0A07B7E44C9A41E1ECA576BB1277F6ABAC6FAD6F6557E58400E69E03AD33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026573Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:51.722{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812A7E8A2367F5EE9F7AE624284F8546,SHA256=E88D8DB410E7FF80CF907567AB4B66D64B0A5F6B7E9CAD8CC5347F5E2AFC7499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049521Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.641{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AECDCBE495A0A1313029C7F8C2A9B17,SHA256=3F05D6B20AC28BB4BCCC16A0EB3BD1D42E7C3DCAB37A82DCB2ABEA3A681A891D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049520Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.610{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DB4C3E1BB396980080AE1F7CA35E1E0,SHA256=0BC8DBCB9C9421983E07FDEBD7BF576BF2336B6A61C32FA8DE31AEF545B891B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049519Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.485{C8F4C507-640F-6140-3309-00000000F001}14523128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049518Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.329{C8F4C507-640F-6140-3309-00000000F001}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049517Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.329{C8F4C507-640F-6140-3309-00000000F001}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049516Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.329{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-640F-6140-3309-00000000F001}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049515Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.329{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049514Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.329{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049513Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.329{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049512Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.329{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049511Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.329{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-640F-6140-3309-00000000F001}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049510Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.329{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-640F-6140-3309-00000000F001}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049509Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:51.330{C8F4C507-640F-6140-3309-00000000F001}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026574Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:52.753{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24040CFCB9F16E8B079D0773333F955F,SHA256=3908BFA7B5B14E87E3861557F86558EAE4ECCECA4F8DF7254E48E2D0046A9372,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049536Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.735{C8F4C507-6410-6140-3409-00000000F001}48484408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049535Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.657{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDD5880CC47AEFC1BB5E1FCD98593D5,SHA256=3938EE3B3E7E0F1B8CD89D50BE293562325CB9A4222B852B475AF3C532892D27,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049534Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-6410-6140-3409-00000000F001}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049533Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-6410-6140-3409-00000000F001}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049532Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6410-6140-3409-00000000F001}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049531Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049530Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049529Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049528Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049527Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6410-6140-3409-00000000F001}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049526Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6410-6140-3409-00000000F001}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049525Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:52.548{C8F4C507-6410-6140-3409-00000000F001}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049524Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:50.728{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50683-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000049523Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:50.728{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50683-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000049522Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:50.352{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50682-false10.0.1.12-8000- 23542300x800000000000000026575Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:53.925{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E558087383C85EFE5A716E03E03FE61,SHA256=98D0A1BD26A889888B1E5C4C27F70420F692D9F55D98C3338212A92C5E56A68D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049559Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.891{C8F4C507-6411-6140-3609-00000000F001}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049558Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.891{C8F4C507-6411-6140-3609-00000000F001}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049557Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.891{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6411-6140-3609-00000000F001}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049556Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.891{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049555Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.891{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049554Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.891{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049553Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.891{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049552Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.891{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6411-6140-3609-00000000F001}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049551Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.891{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6411-6140-3609-00000000F001}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049550Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.892{C8F4C507-6411-6140-3609-00000000F001}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049549Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.845{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333ED392636766F046184B393DFA8AD0,SHA256=C4701FEB10D5FB5D219F84D5A2B22090E3316D71B47EAF82A53DD47CCB874AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049548Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.751{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C6053ECCC3DB334876C16B88164AE89,SHA256=9EFC0656BCE5A0911FBD8E55429F814F8C2A8C555A61C1825E65529B08EBB263,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049547Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.392{C8F4C507-6411-6140-3509-00000000F001}64043964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049546Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-6411-6140-3509-00000000F001}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049545Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-6411-6140-3509-00000000F001}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049544Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6411-6140-3509-00000000F001}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049543Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049542Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049541Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049540Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049539Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6411-6140-3509-00000000F001}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049538Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6411-6140-3509-00000000F001}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049537Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:53.220{C8F4C507-6411-6140-3509-00000000F001}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026576Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:54.972{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B24E4999C1F5C2F53DFBE5E3F3434CE,SHA256=32F72AACCC4BC42526F2A41A11E3FFEE14F80B6BA341DB0104B110E7C7261E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049561Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:54.892{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FEC846A687B60829F584056969FEC92,SHA256=481048FCE5280B4E6C240D557857838E9F1E5E4FD02779D8536CB3C241F3A851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049560Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:54.861{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CB8CC3954D91915EDFF62871C4ECF6,SHA256=E90DACFF9462A8CAE029B4D1925A49D7F68FFB10DA5A6FC5E746BBD5B12ACB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026578Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:55.972{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1690116E11FCB0E8E22884B929FF714,SHA256=341E390C79071C432FCA91168FE0990046B2CFAFBB706C1A071F8DBFB7A66879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049562Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:55.876{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BD389568124CAADEDDCAC3EDB58776,SHA256=9D54E8F01285B504F585D164FF4510079AC88F716D85A7BF97511EC0F9E576C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026577Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:51.749{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026579Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:56.987{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3241C8BF0997F757678E19B6A1DB3463,SHA256=A43FDD8F8C4AD2943019DBD3B2FE8A15612362923957D4903A1526D2D31C17B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049563Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:56.876{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BECD3F0B09FCB058B61EEE5685BA93,SHA256=795C620C0184C08971A9D49B714F09330AED1F21114F9D44A817D0BB22859175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049564Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:57.892{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C321BDE3403375A4EC23E28866DA03,SHA256=E61C6FE8E8973C2BC4A1B2AD69633B1EF0A8C5DE19DEAC0FFA9526F3464103C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049566Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:58.907{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C61B815A8596F28D5FD4EB38FA6707,SHA256=17CF8F9DEA57162819E394D241A3B12C1DC19EFFE944B7B8AE97FF5440931868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026580Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:58.144{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0A5981E82AAAF18A61616EB09BE579,SHA256=4FD79FA230251694264F93C65F4B6E31DBECB60524E975A47C35072D685EB3C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049565Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:56.165{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50684-false10.0.1.12-8000- 23542300x800000000000000049567Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:57:59.908{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76725E28260D09A6FA6E618565DBBFA,SHA256=9E2369BC9F3D937347323223D0040B92CC74F6205B3C303613ECD2E020060306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026581Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:59.206{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16982D2BCF3BB47390D74A720A062953,SHA256=9CA6C1113493AE81DE93087752D198590A626FA5472E1C614000017DC7C801B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049568Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:00.923{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88128EBFD2CEB02230A7ACE137742616,SHA256=E69D9C44E3592FA4958464E51E772D40E06546D1BE5FFF003D18F40341BAE3A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026582Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:00.237{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A6028721164FDC5CE784FEB31DC2D1,SHA256=9FEF29326A84A42BEE595DB92A7F92FCE40B39C96A1CDCFD59DCFB023AA1A7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049569Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:01.938{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B01A1DDD173B0C1E77890FAC24C524,SHA256=350E1928A31A86E3ECACD430FDC89122819B99C135A04282570B35C3EAC704ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026584Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:57:57.669{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50982-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026583Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:01.269{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA178347DDC11AD299347C23BDC9B95,SHA256=86FC0FD997215FB4C2209E06BC7508A003480675401467EE566AADEBA68AACE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049571Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:02.970{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C6D637F7CC8CBE0AE840C442C72891,SHA256=55FCFEEB6E1E9004E06E4DFCE77829E733B37DD67C6C0FA00B35A64B4B5EA20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026586Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:02.644{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=06BCA28E449D7A5C5E47460529884320,SHA256=1F67A408A2F06CB82D10EC1C132C1AF1B1684DA9AFF267E12FAA49D125875619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026585Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:02.300{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333F5961AC23310D82F1A39422EAE6E2,SHA256=966DB427BC025C16E59FA79D43B2C2613C57E6055110BEDD449CE7923B058E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049570Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:01.290{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50685-false10.0.1.12-8000- 23542300x800000000000000026587Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:03.315{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94F8811A7000B5FE94A0277C4A8CD9F,SHA256=8DCEC92F20431A3D70091A7C81A6078881712D4016E2917C6CE2D2AF616B8C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026588Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:04.425{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D093CC0540B52069EE87ED1110C0EC66,SHA256=FAF5373C885F8479579C439E221985570F4CBBD42BC7418EECC632ED86E00466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049572Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:04.001{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAB0DAF4BE0AD2941BF6E29BD720D49,SHA256=3F2A30C2A230B842BF157C3AB7E73877A0487EC669EDECA3AE67DC5FBCBD839E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026590Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:05.449{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B3C94DBC86271F20909724FC431C6D,SHA256=7B02AEEC1963B7B93D9A81FB0181219D0DFAB62307FDCB303F12BD5BF1EFF498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049573Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:05.009{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF8DD3A692A497A702B1AE64F4919B3,SHA256=CF37C6A54F7E7563A9A2615888B96E26DEF601FA80F02F35FD6F33257449F571,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026589Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:02.716{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026591Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:06.574{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A62EA19EC38D237E130017276C64433,SHA256=B099AACA486D982A8EBABA40602025BCA3689605F69291C83064CE3642F01AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049574Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:06.025{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E089BEEF841AE2D7CBD7234304C99C0,SHA256=5022C7B7BAAF9064228AF85CAEC9DADC0BCA8BBF2B9A46CB1FCAD674422895B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026592Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:07.730{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62EFB108D0219E14CF6727F2DF24645,SHA256=2CF0B50EAB8DD7FE13D220493DF24B0E52CC306BB506798C979D36727DCD3406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049575Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:07.025{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C69A2B0E6BF5142CD9D9E472AFB1E59,SHA256=9F2DF85787F1EF66840353BA85DCCD26FBC5F369CE7A27A9E3ADBF1CDC09A936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026593Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:08.808{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB2C69363B5D1A08EC7F0D7174B6B87,SHA256=6C9EF860224E2B5ED4FE13FF1E49AB48C5E9668D1153CE841F4464C886786F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049576Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:08.041{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6210DE6EDDC1B0CC614D2FFCC22655E,SHA256=AACC19A8CD52349F4F73D0CEB5BB9949A98FD1A795C22F901C93A2DA69F48C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026594Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:09.824{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA18F149F7E9C5D6A1E829D62CB7F75,SHA256=F63D69B31339A63CBFD9A88023129149638B839B8C30CDFCA27BAB11C5F875BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049578Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:07.314{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50686-false10.0.1.12-8000- 23542300x800000000000000049577Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:09.072{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC985FE8A4475B0E0A52255D99F7019,SHA256=4C656E803F9CFBA61974B9FDA48DCCB46E0B6254040E99CE3DA32563F61DFA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026595Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:10.839{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DC37C58E65A53BAD228F9F103370F1,SHA256=D5DCDEB47E8D82058EC650084E69B0D99E9D2CBF463D29D72631422746513206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049579Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:10.103{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500ED1EA37A6458F12349D628A439CC9,SHA256=A437C845BAD785DC7337AA6DE4891B8B88FECEF8DE0B7ABF4DF4D9F109AA6133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026598Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:11.839{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE183F54E7506167E7E3B1F4B2AD515,SHA256=FD3BA3C2483AA66505BB544DB5DDD8F6A0B723AA25ED024BCD878740A77C61B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049580Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:11.119{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D85A7BBCD4F32C7FF417D3F5BAA220,SHA256=CF1CA14D95B75880898188B00B3A00E62CA0C68837930DA4AE246EAB43C1FCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026597Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:11.730{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026596Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:08.677{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026599Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:12.855{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4A7342423B247ABB366F39F5C88174,SHA256=A003CFAB28740120C4A004AD2C0A754E219F786A72D430E64DF7B5A5B8A8F1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049581Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:12.134{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273EF1B6F2E8233BCC2281F32EE6ECB,SHA256=2CF42443017A25E5958AB80FA9D0D4E50808C550906FAA6EBE89D6F3B31CD2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026601Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:13.871{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F495E0D8ABBA9545EAD2B250962945,SHA256=68730F3E1FB251C8DCD0AD6D258ACAEC8B7A45316E8AC218C13170D8CAA1CB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049582Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:13.134{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEF9FF0EB635640941B17F3282C829D,SHA256=2B4169BCF06007958183A42D6767B781B940BD3DFF97274B3329E0A7064434DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026600Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:10.271{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000026602Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:14.886{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511085FF15E32F0CB1DBCB52995DC7AB,SHA256=6A2BA2EC9A0E6DA7C6B12FA20553D6BAB42FA7D88314B5CFFD9AE7382E5DA0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049583Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:14.166{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C6E5511A0FCF1D0F29EC2FEC7A8736,SHA256=BCB0A8BC3F11E80E5F43331F7351316109926149606FAA4A8F2BC3C5C82645B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026603Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:15.902{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E05F58EF1ECCDBC1E675D8FF190B49,SHA256=F5730976988F8FA02751A7AB05EA88FE9A82AEB9849289503162350307C3C7D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049585Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:15.197{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E05A018C5D65C8683033ADA97106A5,SHA256=4F295392504C64D48A060822C47CEF14472B6805424C84C1950499F7CFC3CB5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049584Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:13.189{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50687-false10.0.1.12-8000- 23542300x800000000000000026605Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:16.917{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABBD2E1C7A9159F198607649D5ADBE3,SHA256=158D1E5204645C5C5A55E2D6A99BEAB113296A30C138C2FA21CD3A2A00933282,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000049587Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:16.478{C8F4C507-4938-6140-1100-00000000F001}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a946-0xa8290f06) 23542300x800000000000000049586Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:16.259{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A104B435F8B4A1E319638A1B147008D8,SHA256=5C3D1824D647752C44A94E646B34AC9FCE1BEB1FD52F9A1BC7CB74419F56A81A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026604Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:13.787{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026606Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:17.933{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58777A293EDD0E0B1813C3CA5B2D0098,SHA256=56BFF301F87866532B1C3C0F7E0ADD47B6615C9E9DABD20780013BCDB431BEEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049589Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:17.509{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049588Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:17.322{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92968825637078237A664C0E0B2751A,SHA256=1DFFE032781E12AFEE0A922B4A2F7E90A160131AA3D8499FC3436AF503A5D2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026607Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:18.949{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF78C08AE26DD30E8E41B755BB04731,SHA256=1E4E28F5554F04FDA04A9799B3DE313A45C8DCA27B187CC2512CA8EAC794DE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049590Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:18.353{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C3D3E9C1AF9ED4AA9D3F1C795C92DD,SHA256=1F90CAB4A051A91B97995CAF73BA7EA9D14BCDC6FDDC4CAF61DEB7253DBC017C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026608Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:19.964{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828B9A447888EC1CF4DA5945BBDE95A6,SHA256=BB0E3FD17450855112D3113E59672E4B519D79411DD6EE12024D131B9D82B91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049591Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:19.369{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA52D92DA3C9C9B1984DE35E1B260230,SHA256=EF766F56B439A308751350A8F2194B567B886394BC79BC5DC742402D4AB89D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026609Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:20.980{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082D01AC17402F5B22FDA0544A8B6EA0,SHA256=F5D251EF29DA07B921BBD8DCED168D60F3E309827E73674AA0F4F7C104FF7DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049593Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:20.369{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F29A8D942212760FF260C148310335,SHA256=67F9414CA0C4054EF911E4A2607C3BF1CEE5AD65D264AB83B0902886280FD416,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049592Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:18.283{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50688-false10.0.1.12-8000- 23542300x800000000000000026610Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:21.996{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FD2692A564930629236A726D1AD956,SHA256=889AD99BA05CED4E9FDEC7F7D5232A3B06B8C5248F32FB8C28B64B90226AD4B6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000049605Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000049604Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006961c8) 13241300x800000000000000049603Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93e-0x49031093) 13241300x800000000000000049602Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a946-0xaac77893) 13241300x800000000000000049601Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94f-0x0c8be093) 13241300x800000000000000049600Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000049599Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006961c8) 13241300x800000000000000049598Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93e-0x49031093) 13241300x800000000000000049597Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a946-0xaac77893) 13241300x800000000000000049596Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:21.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94f-0x0c8be093) 23542300x800000000000000049595Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:21.431{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A420BBD3299723E72A33ADAB3D496EA,SHA256=ECA3FC1A11686F3D481203CE38B905FE0BD7683BB84CB7D2E07C538E963B1604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049594Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:21.197{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=125F898D9E96B8DEAE84321BBE26FCB5,SHA256=F9E33DCC2C72A3377B56E639BC42144BD3632F1E007FB8ED1FB7DBE87E5770AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049606Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:22.462{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907105CF640DB05308BB5CAA42BA014F,SHA256=DE57D46041F0CB0797148BC6F3DC7A233CB17D05EAA56947EF0318C75489BA32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026638Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-642E-6140-8B06-00000000F101}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026637Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026636Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026635Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026634Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026633Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026632Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026631Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026630Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026629Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026628Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-642E-6140-8B06-00000000F101}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026627Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.839{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-642E-6140-8B06-00000000F101}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026626Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.840{4A7D70D7-642E-6140-8B06-00000000F101}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026625Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:19.646{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000026624Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.355{4A7D70D7-642E-6140-8A06-00000000F101}29243980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026623Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-642E-6140-8A06-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026622Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026621Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026620Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026619Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026618Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026617Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026616Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026615Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026614Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026613Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-642E-6140-8A06-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026612Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.167{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-642E-6140-8A06-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026611Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:22.168{4A7D70D7-642E-6140-8A06-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049607Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:23.462{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EED62A1C5953CADE6BB1F1D32826414,SHA256=6E2E930C741DF4601B8618FD251C586A1C7822D3447D61BF23737C02FE2A8B06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026654Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-642F-6140-8C06-00000000F101}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026653Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026652Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026651Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026650Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026649Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-642F-6140-8C06-00000000F101}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026648Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026647Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026646Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026645Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026644Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026643Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-642F-6140-8C06-00000000F101}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026642Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.436{4A7D70D7-642F-6140-8C06-00000000F101}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026641Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51C32B94090591DC1FC8027AF892CC3D,SHA256=A110086D13913FFA7790F7D74A0EBBF78C743740CA4ECAB89FDE1FD4C0C35444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026640Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95CC43AC07541BE0D1F85D746A1B123F,SHA256=30B2ACCC8BD21699A4492F536A8539F25644F167F74E58A2489C40294FC05F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026639Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:23.433{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD5E26168F270BB021FCCA7354A83EE,SHA256=856D204E8BFC5440090FD57BB605B1C642D92ACDE64BB2763268B89769CA3C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049608Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:24.462{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3AA40E0EB87729B546C92E828350A5,SHA256=2F6FE73E63150081FB671773C2C21D70102645D74C31581A22C25CEC994E8A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026656Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:24.449{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51C32B94090591DC1FC8027AF892CC3D,SHA256=A110086D13913FFA7790F7D74A0EBBF78C743740CA4ECAB89FDE1FD4C0C35444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026655Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:24.433{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376AE36A9997581CF62F787BD380831F,SHA256=64B3C822A11C65E6C7A7882A0A79676A09244E3377EB732F88D248144D7A5ECE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026684Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6431-6140-8E06-00000000F101}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026683Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026682Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026681Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026680Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026679Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026678Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026677Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026676Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026675Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026674Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-6431-6140-8E06-00000000F101}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026673Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.901{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6431-6140-8E06-00000000F101}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026672Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.902{4A7D70D7-6431-6140-8E06-00000000F101}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026671Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.620{4A7D70D7-6431-6140-8D06-00000000F101}35843848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026670Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.464{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7BE29A8C60F2C065E90FB2A16B3973,SHA256=ABC426D514925A72C68A81CAF44DC5F747120F11A88CB7348B0393D329E1A10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049610Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:25.478{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41226FE16EF422EC9165C18A41E5959E,SHA256=5401149D16241DD08D9B1FB753BFE69E288442E225D57FD917730BA6713175AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049609Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:23.330{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50689-false10.0.1.12-8000- 10341000x800000000000000026669Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6431-6140-8D06-00000000F101}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026668Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026667Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026666Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026665Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026664Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026663Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026662Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026661Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026660Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026659Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6431-6140-8D06-00000000F101}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026658Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.401{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6431-6140-8D06-00000000F101}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026657Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.402{4A7D70D7-6431-6140-8D06-00000000F101}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026701Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.901{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6ADFC9B42C8AA00D7B78CB1D4B96A5,SHA256=3A515DA42B0C84928F1B949E70FC16028D4FB407F725AA84A3FA4339E95208F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026700Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.605{4A7D70D7-6432-6140-8F06-00000000F101}27443904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049611Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:26.493{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E4D10041E31425A99A77E874B293BC,SHA256=27168C6AE6DACBD89D3213A0FBB6BAA6608DC9BCB099DE267E7933DBFA005B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026699Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.448{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E8D2DC0BEC1CE77C505052F3D1DFE98,SHA256=11462466AF7FFCB30573DF21ABA7DE8E3C319FB0891CCEE7F87196772F71F8C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026698Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6432-6140-8F06-00000000F101}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026697Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026696Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026695Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026694Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026693Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026692Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026691Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026690Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026689Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026688Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6432-6140-8F06-00000000F101}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026687Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.401{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6432-6140-8F06-00000000F101}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026686Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.402{4A7D70D7-6432-6140-8F06-00000000F101}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026685Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:26.214{4A7D70D7-6431-6140-8E06-00000000F101}21244028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026715Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.776{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE254C2ECC56EBC0C2B723D34C1258D,SHA256=EB4D98FFE5673B5A37F92F821BBA0119A6300515CC767E43DCBD6A4FDDD3E07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049612Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:27.525{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9C0A850E2DBB3BC682DD74D3842C03,SHA256=6FDE5D4B6E01B2EF384B9810E962DE4B6D022D900F3A2947EE7D8D9C2EDA726E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026714Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6433-6140-9006-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026713Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026712Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026711Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026710Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026709Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026708Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026707Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026706Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026705Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026704Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6433-6140-9006-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026703Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.745{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6433-6140-9006-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026702Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:27.746{4A7D70D7-6433-6140-9006-00000000F101}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026717Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:28.995{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ACA61846EDE64C73C81965EA478BAF,SHA256=4082DD890BE591D146B9865D731B66CDC6D2AD1D00E4DCD7FB0F75BDBF29EC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049614Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:28.637{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-111MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049613Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:28.526{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E100D37827367CDCB3862B3C0A7CD62A,SHA256=97449AAB6A34D8BCC1A78EBF889CF4388B2B3FE36607923EEAD36D5D10D76D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026716Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:28.964{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=200BAFA5635EDF61547550E804675CA5,SHA256=81955864EF691FEE8925933CFA091594492BF9CDE0EB4E44E1AE39EC2E9E142A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049616Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:29.651{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049615Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:29.572{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E16971372312D2AC43F89B40641D1F8,SHA256=20C5C0BD02112EE55C0EC61CBD8469B17AF7B5F758828B8BB3D46B17841562AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049618Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:30.589{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD92F5D5CFB4A79085CB59C0B9CBEB03,SHA256=27A92B1E76C87F861E9DF9FC88E30F5A9890C24E74801BDE9053423514049601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026719Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:30.058{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299D52F90D268D3314562E84F72621F4,SHA256=94478D78D2463B239909B8681A0F99881CDD78DA85FB2C7E8D344B1A48A6373A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026718Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:25.631{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049617Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:29.283{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50690-false10.0.1.12-8000- 23542300x800000000000000049619Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:31.605{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF266CB6879D361F4F83597B6218E48,SHA256=08CCD203B98D33208ACC587CCFB2CF969BE92966C409CAF851F3F0CEA3BDCB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026720Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:31.089{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6172F4A5EB078A9F981DA647D6BF0956,SHA256=7E2134E71C319D243143CE7DEF6C07410AEACF360B5C24C8879B44CC54C75A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049620Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:32.636{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F48EE8D36EEB4975B4ABE39555D9C5,SHA256=0752596274BF99266208BC1C3BDBFC725225D0270B3D9CD349A131E69EAEEF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026721Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:32.105{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CD6CA0F18D1675F28004060A3BF1FD,SHA256=485D8E2D842C8AF1F8A136A001C91F27D9E37BA7DB9CDD0398AEAF4A31F98F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049621Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:33.652{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA63702E02921EA4F4125B2EF5913AC,SHA256=B6E27703BE6F5C4556094039CAD5AC4B346C3DA3AD47DC22E737CCCCFAA45D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026722Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:33.120{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7D6C6C879CA667B2C96A87C70D63AC,SHA256=25FAB54BFD513980DCE2ABF2F349DA464BD02CF4ADA13B333EE9768749AE43D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049622Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:34.714{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169AAC9E87B597D9746B5C6B67F9EBCE,SHA256=13A0BB2BCEB31DA4003899DE56F10C8D6A695760C3F1F66A47352F4776DFAC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026723Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:34.136{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D558AD3F218EA9D07004659788176708,SHA256=77AE2727E82BB28A527C7A838A9F79307EC59FBFEDC53F80BCA19342E9246E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049623Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:35.761{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F2BA94B0DCD3CC0E49C9E5CA060EAE,SHA256=F2F77C375D0AA9789D3419676FDB173444D5AD6CEB04AF3F40322935F1CC83C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026725Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:31.646{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026724Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:35.151{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C47FF392CE6766095C69B3C31794BD,SHA256=7AB3ECFBD3C248960CC764BF510D2F4EA3C68A2FE97BE0EF76AF7F45F4CCA7E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049625Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:36.792{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96287A8406932635166EF61ECF6039FC,SHA256=5D29ADECD834B15C3B53D76662C4A186F0B6945FF117FA5EEEA0A357014887EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026726Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:36.167{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04004F1DEC0D231952FA89B5940F7AE,SHA256=276EAC11F96F27752B173A040BDEF53CAFD82C263E9F176301EFAB1830C200F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049624Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:35.222{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50691-false10.0.1.12-8000- 23542300x800000000000000049627Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:37.808{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40215616D3B8E533EA3458B6F98EF8F9,SHA256=033AC497D4381623079C2B09381A16FC2F86976E7DC4683CC7E18CC54A56C35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026727Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:37.183{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B453CB4A2403522724EB799B6D510452,SHA256=6EF68A090CC79E9084C62E160AED07BEAFB54395025AC55AB091D3744D9FB731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049626Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:37.167{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049629Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:38.840{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91C551A8E669F910124EC610832B456,SHA256=FD794B5ECA7E5EB9477BF9496FBF32E17702358FC849D9EAD42225AE9AC18F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026728Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:38.198{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD66671087AE57572AE7AABAED6E8F9,SHA256=83422183ADC7633986ED47C278FE95749DDBC1D883D6FC21F9FCE0CB9413DE6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049628Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:37.269{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50692-false10.0.1.12-8089- 23542300x800000000000000049630Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:39.934{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1191D30E6F7232FB3808F7F356FD06A,SHA256=BE09D545F9D3702C7C4C9FDA4D557133183C2214A75865878CE1F30465A5AD23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026731Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:39.755{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-101MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026730Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:36.661{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026729Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:39.214{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAD21B2EC49216C4B04398D9CC92181,SHA256=0CBE3685068271C36CF92E95A5DC6396A65778A8CEC64C343E651E3BCF198A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049631Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:40.981{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32962F2CE5E5EA724E402318C6AA2875,SHA256=0A8AD216CDC8EAC7D0D7AA48864BE4884446E340016824EFBE8E9D1BE0E7BF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026735Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:40.739{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026734Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:40.222{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7ABF872A03FA034073035100CBEB4E,SHA256=3ACB2C50DF90220D4C1B10FD9D6C0D219FC9B9C18AB5BA91185F189A442B879C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026733Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:40.097{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D452F7FA7900CE4FF07E9BEB986BE2FC,SHA256=8ADA89E5AE2411BFFCAEEE8432D2D56A2FEEBE9E41ABB58F94B858DA1E26D71E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026732Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:40.097{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E7C2F8649D37AC82DFB94ED30D2B8418,SHA256=C544AC62B4B60B6406019B3702432C80CAC442458A3E95254D0F7B50DA5091D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049633Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:41.997{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3FD50532BDC1E1A51D925EBF1F6379,SHA256=1486D721C671708691573B0E69D263D56266896AE08B19D4EE32CAFDE910D3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026736Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:41.236{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F63AE562AA5344551E3B54D97789FA4,SHA256=87A5875512106CB5901B87AE96D5B8DF56C74A3B7995F0F3B8760C5546BAD7E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049632Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:40.239{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50693-false10.0.1.12-8000- 23542300x800000000000000026737Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:42.239{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9A0B49E5DF53C8D318BAFF2E70EC39,SHA256=69FE413CC755FF95460A4F80644882D63C41683A42D9DE693E6C3C5FF5F53E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026738Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:43.254{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C0A18476F157B9E1ECAB88F33F4A71,SHA256=E918FD51ED4D3AEEC0997A358A8D650E3EB9D032E08412F65C01D7C6CD100369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049634Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:43.028{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95508CD2792604712ECF5521E24C2EF4,SHA256=216832358956C70BDD4128FADB85D5CDEED04613844BF393706E978DA104859D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026739Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:44.270{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1EC330B8BFC1B5C2DCA8BBD93E955C7,SHA256=8CACD13F79FB3389B9495E0AC89474ED0EDA5902CE095928FC21A864227A2C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049635Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:44.075{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE354F497187C96F71993E092BD4A848,SHA256=16FF0FFBFEFCA4714CE466920ACEAFC7F3FC07CA9997F32C2FA763009C2A072A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026740Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:45.276{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C197B00CC5E3295FC2844B5F768ED0,SHA256=E23AE0B4C022B62F8BE0E102ABC56A19C8FF258C2150D763F5C9A16942306666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049636Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:45.102{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CBE0E939C27B740E3938A0CD0061C2,SHA256=43C39BF566B3BF7E626ACE79B91739549D85C67DB8BA856966126E59C7B0A493,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026742Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:42.686{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026741Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:46.292{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E0F5549B86C22C977C6087B6A4D664,SHA256=E51BCDFE1811B0785219FB50DDB0360668FFC5FDB01FE62FFEE9A712133152EA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000049638Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:58:46.431{C8F4C507-4938-6140-1100-00000000F001}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a946-0xba03707e) 23542300x800000000000000049637Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:46.149{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD1976F337E26BEB00887DE82C7E85C,SHA256=9A48644D471B204D3F0BE4A3E140DE72A73FB122AD604DCCD83B4CA06541EF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026743Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:47.307{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65F57B88C00008CD8329D43AE1423E9,SHA256=1B574430F5585EA4635E10F13C6AA0F63677741FF645E283A50ABF5F20BAE801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049651Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.790{C8F4C507-6447-6140-3709-00000000F001}59966680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049650Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:46.219{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50694-false10.0.1.12-8000- 734700x800000000000000049649Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-6447-6140-3709-00000000F001}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049648Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-6447-6140-3709-00000000F001}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049647Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6447-6140-3709-00000000F001}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049646Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049645Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049644Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049643Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049642Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6447-6140-3709-00000000F001}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049641Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6447-6140-3709-00000000F001}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049640Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.556{C8F4C507-6447-6140-3709-00000000F001}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049639Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:47.165{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2356BB1F7A091460F4667B353A4C593,SHA256=54FB066BEF4731258F7FC8D9912A7C29C85BA6BC4CCAD6B7D9E086181716B73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026744Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:48.323{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF0F119B7350B33260F794C5EC6C89C,SHA256=8FBA56CEEAB9485EE9594C703D59486FD5291B20328951FCE953F031FC5C63D5,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049674Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.696{C8F4C507-6448-6140-3909-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049673Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.696{C8F4C507-6448-6140-3909-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049672Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.696{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6448-6140-3909-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049671Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.696{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049670Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.696{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049669Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.696{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049668Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.696{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049667Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.696{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6448-6140-3909-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049666Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.696{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6448-6140-3909-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049665Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.698{C8F4C507-6448-6140-3909-00000000F001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049664Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.634{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=583A30BF0B0112422EF948EDC710030C,SHA256=03DC3F8E954E95380E73DEBAF6FC9A993B8F6C7AF97ABD631203D7E65CFD2B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049663Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.634{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFEDC4144172AC691A3672DDDFFAD716,SHA256=FB1DA9F186C0626C676333612010139A88B42910E57C2012A90164B9BA789575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049662Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.181{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A56B902759772CCCBF18B6F52A6160,SHA256=76F58450EE76D948F2A8FE45F7949190BFE66F99B8CE4BE6243795F8AEA37A77,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049661Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-6448-6140-3809-00000000F001}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049660Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-6448-6140-3809-00000000F001}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049659Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6448-6140-3809-00000000F001}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049658Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049657Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049656Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049655Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049654Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6448-6140-3809-00000000F001}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049653Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6448-6140-3809-00000000F001}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049652Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:48.056{C8F4C507-6448-6140-3809-00000000F001}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026745Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:49.464{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50396C0131FD9205C1F6A764C408D5F8,SHA256=5F730EF8B0742849396213FB50243B4F6D33A999BD0B05C14274376007BC4B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049676Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:49.727{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=583A30BF0B0112422EF948EDC710030C,SHA256=03DC3F8E954E95380E73DEBAF6FC9A993B8F6C7AF97ABD631203D7E65CFD2B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049675Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:49.243{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9920D6018C2F4E7838DFFEE0EFADC20,SHA256=C9E297263E7FA2DA6FB5A93996AAA6FFC9E45F66388EFB11F2E238BF7764A2FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026747Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:47.770{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026746Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:50.526{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D0D10841F62C16E02ACCFEDD9E9198,SHA256=6FAFC73D3EBC17085B8E93E1BE7005671E01B571355D9C8372041E4448222982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049677Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:50.243{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2016058BE2AFCB5A87177B5BBE394EF,SHA256=5AC77B66010DAA0B3F23A9C894502BAE3ACE31C584BC6E48160A75712992DC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026748Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:51.542{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EDA90AA57E7E01BE8B2FEF38F43323,SHA256=3C1AC992C067A2732E554E2EC9C5ED1FCBC88B04D92D7F7EDF610BEBF3FE1DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049693Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.649{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E6BB7FDCA51E6FB236B372FA5E8AE75,SHA256=46B3ACDFEA96C0CEBA92DCE2CDF833053214F05CD9581825155B290CFEF589A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049692Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.524{C8F4C507-644B-6140-3A09-00000000F001}69884284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049691Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-644B-6140-3A09-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049690Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-644B-6140-3A09-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049689Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-644B-6140-3A09-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049688Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049687Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049686Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049685Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049684Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-644B-6140-3A09-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049683Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-644B-6140-3A09-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049682Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.337{C8F4C507-644B-6140-3A09-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049681Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.259{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10022D9CFD07A9EADEF62DE22AC33BF,SHA256=61A1A7CC49E459A76D5B8DA6071CDBCE3F0E089630BCC75157CF4B78367C50B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049680Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.056{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049679Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.056{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049678Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.056{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026749Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:52.620{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E085CE4FFA0DE1090634372F28CE00A5,SHA256=3BA35165F01CA4ABE7FB8404AFA2FEEB212C5C9FE5B3EA69ACEBAC09FB7ABC30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049715Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.930{C8F4C507-5C87-6140-B607-00000000F001}33727076C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049714Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.930{C8F4C507-5C87-6140-B607-00000000F001}33727076C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049713Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.930{C8F4C507-5C87-6140-B607-00000000F001}33727076C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049712Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.915{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049711Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.915{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049710Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.915{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049709Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.915{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049708Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:51.329{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50696-false10.0.1.12-8000- 354300x800000000000000049707Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:50.751{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50695-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000049706Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:50.751{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50695-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 10341000x800000000000000049705Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.712{C8F4C507-644C-6140-3B09-00000000F001}28486712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049704Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.555{C8F4C507-644C-6140-3B09-00000000F001}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049703Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.555{C8F4C507-644C-6140-3B09-00000000F001}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049702Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.555{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-644C-6140-3B09-00000000F001}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049701Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.555{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049700Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.555{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049699Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.555{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049698Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.555{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049697Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.555{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-644C-6140-3B09-00000000F001}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049696Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.555{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-644C-6140-3B09-00000000F001}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049695Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.556{C8F4C507-644C-6140-3B09-00000000F001}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049694Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:52.274{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77E3DF88FC5E99C2F23B7E411EC7079,SHA256=55E925FAAECF963300945B85152A9E0C2C37DB5821D924FC4B5E57F49E60920D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026750Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:53.714{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9E186A39AF3F706AA8CA6EAA44FD40,SHA256=3BD630773F0BB440506ACCE79FCCC9333E85154FB32AF7769C7C33D832A21064,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049738Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-644D-6140-3D09-00000000F001}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049737Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-644D-6140-3D09-00000000F001}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049736Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-644D-6140-3D09-00000000F001}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049735Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049734Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049733Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049732Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049731Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-644D-6140-3D09-00000000F001}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049730Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-644D-6140-3D09-00000000F001}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049729Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.837{C8F4C507-644D-6140-3D09-00000000F001}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049728Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.571{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9EF58DE722FE12236FE9A8DA752B0B6,SHA256=EAC2D03486B32C4F88B676A15FE6D8DCB6C30CB897BE9264C180512B8EF51526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049727Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.462{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42BC8EAE9DFC7BA06F872889D71127C,SHA256=4D7BFE01B5472EFC4C9C24881A55AE6D1932DC99328D140BB12E36ABD24113A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049726Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.337{C8F4C507-644D-6140-3C09-00000000F001}14444696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049725Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.165{C8F4C507-644D-6140-3C09-00000000F001}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049724Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.165{C8F4C507-644D-6140-3C09-00000000F001}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049723Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.165{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-644D-6140-3C09-00000000F001}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049722Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.165{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049721Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.165{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049720Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.165{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049719Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.165{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049718Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.165{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-644D-6140-3C09-00000000F001}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049717Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.165{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-644D-6140-3C09-00000000F001}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049716Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:53.166{C8F4C507-644D-6140-3C09-00000000F001}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026751Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:54.714{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E652E8B9D6359110CFB8C878AD26F844,SHA256=7C9FDFA82AED3871D1212F678235B9E964733BA5C4C1EAA472ADCEEA5613AAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049740Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:54.915{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E692CE4CED6E82DD50F19D54A802E2A,SHA256=96399CBFB7291E41386EB0FF25E22AC5D21FA844C56C1ACAA8C02C7AA310B174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049739Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:54.337{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C432737093B99BFA440FACC48610EFB,SHA256=34063B9B50746335D2F54B8FF40E1E39DDFA49AED011A8BAE12429F4C78D3DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026752Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:55.760{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2726F93436E4BED0DF528CA13A30CF6E,SHA256=09A22C0E8DAE2F3838C647E9FD58D6145F6594E521CA7E465414207C5BD2ECE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049741Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:55.352{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19EFFFA0957BB8543F4D63792C1FE5C,SHA256=3FA5D16FBA44982A8388053F6DCC40E0EA30B33E4DCB78A6428D4C319EC02E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026753Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:56.792{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1313DA46B59EF6F7D3B9B379EE8324B2,SHA256=BD385F3F1BC1001571C2ADA689514D15A3915A1217A3E6B08414EA1FCC3C3503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049742Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:56.384{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10CA08714806E943A105F538B533334,SHA256=A0063D0D491B4E0ED288089FC7BD7AB1E375AA5D2EA35A3B6CB5878E669DE2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026755Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:57.807{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BBB5C85C526AC475FF374193A9E77A,SHA256=7AF960DDB49DD2FBC300ABC9824170821A9C2F981870BA76BCFDF09FF32AFF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049743Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:57.509{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030F43C8312310033EDF8C0317AD6FD1,SHA256=5B803EF1B266D38E59E14B5884BA461490B1088290F5C184FD781E4309048770,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026754Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:53.661{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026756Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:58.823{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1EC6064446DE9F2138108C5F024534,SHA256=09630D5859E06DAB52B1172D776D37BC6A2417870C742EB7641EB73BC1468012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049744Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:58.524{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160504CE1A2F7BB59144E49E379BAA26,SHA256=75CCB50EA7B9DA4C0AC66A8194A5F48FEA136CDDBD6EB21DD39AB7AD9A353EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026757Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:59.995{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436A48E0A35564D8596DE3A8CB7384CF,SHA256=F67DF783D0BC932DE4A564D15AF172F2A324D6E6F92E38C8C326FDC416DB12B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049746Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:59.524{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74DEC7BBF347FCC654BB8F770BFD57A,SHA256=AD9B72215D0CF47E976236175C6EF97970DEA2EE69DF8C04B5DD550E70A5F7A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049745Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:58:57.329{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50697-false10.0.1.12-8000- 23542300x800000000000000049747Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:00.540{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6868BC9E38F7848BC1F0B5BE27336CD,SHA256=02C2CFA54C547B4A2BD90B2F80CA679B6C584C5C01BA03A0C56D33B91CC1C7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049748Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:01.556{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054E6C1F5C731C4EB36D7A613DF7C470,SHA256=EA01B7F25DE428412FBED51EDC5BA5F43E6BA7C8AD640DBE407587116365C56E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026759Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:58:58.817{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026758Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:01.213{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D736FD485F5A3132396BBBB790818D70,SHA256=ECB3D7E1C6560658601C9467B382D8682C26EE1373C279527FCF9A84976F3163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026762Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:02.667{4A7D70D7-4BB7-6140-0B00-00000000F101}6323352C:\Windows\system32\lsass.exe{4A7D70D7-4BB5-6140-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000026761Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:02.651{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=67C0E49802E72DF5BBDE484D97C1D692,SHA256=7A6D1F7EBE742781D109B87C4A9C8AF468AF72799B80182A9492605E9E2AAAFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026760Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:02.229{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE6B05F14CB378C855E13A31B4563F1,SHA256=E066338CA172C989B56E1CF2027FB6CFDC73A566EC3B9240012FC062EEB8C5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049749Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:02.571{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C19686DC879D1494B4ED79F57E5FF0,SHA256=14CAE41BF1CC02D79DAA7B8445CF9AEE608D525863D98281F79C8A40A3DADA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026763Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:03.307{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA44F3C7F5D38F52182A4502F92ED21,SHA256=0779D907B1AA3E88CFF61AFAEDE3355872394FC73E5270AD5A3B1BBB14D3090D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049752Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:03.665{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C38BE49B0674F84F0F84BDD3312C7FA,SHA256=62F593017B7F26B91E9090EDF4F284E9853F7080F749794FD333D73C5102E3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049751Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:03.665{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0F61B6335127FC99FC80F4D71436AC8,SHA256=4559C992CE63F7F99AED0712C7D8A8BB625B7B81294C6DCA5E30A0EC7E1C9B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049750Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:03.571{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2077090CE4D91182079244244E32481,SHA256=9B00C890D92CC69475E3CE9A7DD9B4652A1C41370A280764030744946701E4A0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000049759Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:59:04.587{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000049758Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:59:04.571{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\43184136-7950-4DFA-B6E0-270A84556376\Config SourceDWORD (0x00000001) 13241300x800000000000000049757Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 08:59:04.571{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\43184136-7950-4DFA-B6E0-270A84556376\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_43184136-7950-4DFA-B6E0-270A84556376.XML 23542300x800000000000000049756Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:04.571{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB56AD70448AC7A6FC47F51FE809FA3,SHA256=2B854A874254F298F7BC0BF2E79C8117854142AC8A078BD40AD7A97B311EBA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026764Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:04.417{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F54D9542BDA77D831A9F2097C2CEB60,SHA256=5B1FE73CE09F6AB9980566DA5EDE17BCF3C5A3220C608A1E539F15EE4D2AE496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049755Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:04.259{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=662BC67DCF83C271C0CCA78336123586,SHA256=C11305E243D3223B07B554168347E6767D1BE0C8DFFE8477C4771D06B3228DCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049754Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:03.188{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50698-false10.0.1.12-8000- 354300x800000000000000049753Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:02.787{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal50995-false10.0.1.14win-dc-158.attackrange.local445microsoft-ds 23542300x800000000000000049761Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:05.606{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C38BE49B0674F84F0F84BDD3312C7FA,SHA256=62F593017B7F26B91E9090EDF4F284E9853F7080F749794FD333D73C5102E3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049760Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:05.575{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC50F7D74BD299C5B9D9DB80B0B3ABC,SHA256=D0CD32410826BD17F0CAB760637CB25457D286B91A22740697499E4F15F790B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026766Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:01.228{4A7D70D7-4BB5-6140-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50995-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 23542300x800000000000000026765Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:05.422{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42D3232060561ECDDE6615CC2916787,SHA256=7159AE8F832B9BD9860769A47A7F8C7A86332D2AAD37B35293CF8D3C0AE0228A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026767Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:06.437{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1E699586AF5C55F2D37E63F9A0297D,SHA256=39517F92CAE46CCD8999749C2149E4240CAEF35CF3CB1CFAC3D9781F2587CD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049768Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:06.591{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DB7F5A39E6E2EB58BBF053D65CD388,SHA256=7075E9671C3715986915595FBBAC3FF0907893C52FC6E9C46AA764A3A00CE8FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049767Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:04.717{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50701-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000049766Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:04.716{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50701-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000049765Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:04.708{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50700-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000049764Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:04.708{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50700-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000049763Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:04.690{C8F4C507-4938-6140-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50699-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local135epmap 354300x800000000000000049762Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:04.690{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50699-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local135epmap 354300x800000000000000026769Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:04.775{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026768Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:07.453{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6A377078DF1743D545413BE95B909E,SHA256=302F8A74A92EC97D7AACD93F1CF59A5CE244FB0CDD0709BD28AC91996482B1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049769Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:07.606{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1759EDF665287C304A1A5F5D78851248,SHA256=D1708FFCC506B848D279C2737AE9CE398934466FAEFD400D1FB096D130A4F53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026770Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:08.609{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387D87087E4899237D4ACB23E92F6BCF,SHA256=6B719E63D754E501DDC414B6710C3101C8525BAD043925183E76D0E68AFFBB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049772Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:08.684{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-14_085904MD5=622F996F98B3332A4C87BF023063769E,SHA256=0377AEB8BDD3FC47403380BDDC7B7E392765516E490B6615206EB441355B9FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049771Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:08.684{C8F4C507-628F-6140-F508-00000000F001}6204ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=CF4C0CD7F90975A69D98A5F7794E0CE9,SHA256=65FDF4C256217C05A3F6AB5FD5B191CCD255928585ADF94F96BB08BDEE378029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049770Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:08.606{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B722C223614D1CEF4590FC6C010F17A4,SHA256=12E45810ED34CBDB5F0B29A49C577DD0D8EB16CC103A1ED6879EB6F1466492C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049774Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:08.348{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50702-false10.0.1.12-8000- 23542300x800000000000000049773Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:09.622{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DE8CCBA83D5A43F423B8514DB3BBCF,SHA256=19B834E5473A2EE8834BC14637D991684645ACC1712D93D5634BDDBCCDA275CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026771Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:09.625{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EF319FB636B6B47252CD3DE2B53B84,SHA256=E6D0D4257EFABFE8C14ACBAF14BDF739FEB667EA910F55E693E2CB9F42B94A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026772Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:10.641{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E69D4F24066061D90005B120F7F825,SHA256=A33E062DE63D36EC29F000C33F9C41851549DF813962C0E274DA5AA46086F20A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049775Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:10.622{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7486AE0B14B82BE3FB4C021A73FBF6,SHA256=2B572BBCF7F056A4057D6C5DFAC4F3106536A43B7136C0EA7F7C85D5106DD4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026774Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:11.750{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026773Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:11.641{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A068FA0D3B420119FD55FC317B432AE,SHA256=FAC07D211137D63AC111D70CE9B1B9201C78A8794562FD1BFA3943DB52192867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049776Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:11.638{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409B647721B5E8747AB986E4ACE13A60,SHA256=0B7F83734A6AFE9EF2CCD60307D85E4553298C6E0C6071B8BECBE6887E388BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026775Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:12.656{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4D5CAB31F0031368ADF75D54AD620C,SHA256=1585088E006F1E27FA96CC03D1B2D6B9EE9BDB4C0118942ADDAE6B97987048A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049777Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:12.638{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70DB59534E0895AD8453BF86DE22488D,SHA256=A92C01976347750D481CDAC255FBF714F9815A7EA089C390C36520F8BC056B06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026778Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:10.619{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000026777Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:10.291{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000026776Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:13.672{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7475222247548F6E099FB146FA920CD8,SHA256=506E2F992E6531AB2A852AD70DEEC6CF83DF1A236A4E12152BFCD059CA31DA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049778Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:13.653{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F041730BBA0831618D735D4B683FE79,SHA256=8A4BDD319FE599AFCB152E6D498AC8F322A3F018203A37208EECA19643E241F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026779Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:14.687{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C200EEF619D8858C0000E89A5003CAB3,SHA256=D1F2143BE7D6640D21968EC4FBB4E4BDA671BD2C1F2F0B24D59460568E70C786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049781Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:14.669{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081C530073B24AF37B04D428FB8381B0,SHA256=AB9A2B2094591CDA38385FB9ABC5DE9DF3B4B35CA85A8653B535451DA85A8CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049780Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:14.434{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ADF578B1D56F4584BFD048B3D72539C,SHA256=496DE4D0274FA2C6BA9ACFAA0F4500F9F1504C17A72BABD490AAB7467A7CF076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049779Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:14.434{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=687BF34629F97E64B8672FBB25D9B34C,SHA256=72B02A1FDBD65CA642B465D25F551F262FD241476747254E06A3D7ED541D4FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026780Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:15.703{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54347E748AE17DC2C03956855705B13C,SHA256=137FAFF3B8DCB0C4B77174208F913627E50CE36446948DC00C62FBDDC6AF3006,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049783Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:14.348{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50703-false10.0.1.12-8000- 23542300x800000000000000049782Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:15.669{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA1C9FB8D12AF93529F18B08EF3E778,SHA256=3CF042A21B544CE70D139AE8B703010A40D348861E567AC9C72505744B12E32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026781Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:16.734{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8740E52C51A8FA36031FB7B244659BC,SHA256=F964B2E325EE40549851FB5EFA68930ACC3484EC3476C72C164A145FB8D227B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049784Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:16.684{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A83B21B3FAF4C356820868E9521CCE7,SHA256=78F8DA2CE401A7F9975883C4396C3ADCE89E25437E535E0933A6314D83F9E25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026782Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:17.734{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35F20AE58436160FF7BB275B068BD37,SHA256=CDADD55BFF100A84EDC7540608D3BAD32460C0764A0804A8B0082C50EDBF14E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049785Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:17.684{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6DF181500EE317C92C47583F7909D6,SHA256=DB1983B409DB6410E2603681672A5E545A349E8CA8D5E3962DE02670007CCD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026783Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:18.750{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7527DB2D0F9BA17FE8FE4BB98519D730,SHA256=99BEC503D7AFBA5BAB2714D9E8A97640F80EDF11927F0785C8BF00D0743F0B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049786Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:18.684{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5F6CED567872AC4138B01D3FE69931,SHA256=309A45504D6E242FC81763CE02C70948B9AAD4C2AB0EFF0A6153973578CADF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026784Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:19.766{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6BD7643FDED56209B80DAEA6C8FCED,SHA256=24118425A7BDA24D9F24B8C0AB6DB7AEB74D6FF9403F40203DA16385979DD358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049787Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:19.684{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375FD13CAD5ED5249DC74A2AC67355A0,SHA256=64387CCCDDB5F787283B9D054DB8FFB0736749EFED6DDB87BA738415AED1D57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026786Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:20.781{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7683E46961D699D87D3D1EB669F7D82D,SHA256=4385F9513A36D2EE4B6959528F2B5E3901A12836ADD19A5EFA4CD4A3054928A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049788Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:20.700{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8882CE7205E70E6FD20F1651BBD45FF5,SHA256=627604A6B1775D886E98E1A23329A44518315C6DFB932E0FA022917625B6A14E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026785Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:15.634{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local50999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026787Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:21.812{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161D4529CDA4B6F73E0338BAB672324E,SHA256=DCC247D6E859D90824836FDF01A5BF36226D21E657974388B844D902CFBC1F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049791Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:19.364{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50704-false10.0.1.12-8000- 23542300x800000000000000049790Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:21.716{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA860D1DEC0C271B2BECD5B7AA73D1D,SHA256=EAE7C94E33FBD0351A13AC8E7D9A76DB676FE7D25FC8C3CB5741881C342C3E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049789Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:21.200{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1F0368F6E7CA41999A3F08BA10D86020,SHA256=DAD3C7A705F9F0B5653F593C613BB55BADFDFCF9325569DA09F702CB300E312A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026815Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-646A-6140-9206-00000000F101}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026814Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026813Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026812Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026811Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026810Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026809Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026808Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026807Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026806Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026805Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-646A-6140-9206-00000000F101}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026804Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-646A-6140-9206-00000000F101}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026803Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.844{4A7D70D7-646A-6140-9206-00000000F101}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026802Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.812{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5471F5B5BC2AFA37ACE5DEAA6078F0FE,SHA256=4CAF2C7EF9458EA8FC5A00AF4AA12E90B9E6EA1D5B337F5B253AE73EB91CECA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049792Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:22.731{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A14991DF80AF5624035128A8A7600D4,SHA256=8FBE6F20A0634D90D37778113737E9B06403B7CFC259E736B459959CEBF77BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026801Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.375{4A7D70D7-646A-6140-9106-00000000F101}29643776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026800Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-646A-6140-9106-00000000F101}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026799Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026798Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026797Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026796Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026795Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026794Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026793Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026792Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026791Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026790Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-646A-6140-9106-00000000F101}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026789Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.172{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-646A-6140-9106-00000000F101}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026788Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:22.173{4A7D70D7-646A-6140-9106-00000000F101}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026831Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.953{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B866152CF34CCB5C5946DF71929750D,SHA256=8C15C8570494C02730F5EE5B81BFE662FAE062B6C66DD9D3895C717F6C821C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049793Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:23.747{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA359B5CBDC721A2B77CA91FCEA4A724,SHA256=BD89AB93476606CE77B5EB41E25497958B8F8F04F05851E8B10239B05E769A9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026830Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-646B-6140-9306-00000000F101}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026829Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026828Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026827Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026826Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026825Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026824Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026823Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026822Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026821Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026820Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-646B-6140-9306-00000000F101}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026819Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.515{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-646B-6140-9306-00000000F101}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026818Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.516{4A7D70D7-646B-6140-9306-00000000F101}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026817Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.187{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4B2D185221183BDED925390DC256C19,SHA256=18DEDEDE01566D5C91C95F8806BAA1F36E16E49ADEB4725B5B29A1B64B164353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026816Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:23.187{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CCEB6CD3A42F8ED22F40A20CE8324A3,SHA256=A37389FC978A1E5D3A9CE63384BFD1BFD92C81FA7C685AC2F52A736086DCFB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026833Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:24.967{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1331B98FBE5471566426A9A1015CF95D,SHA256=A19E6C4C77987AC7A732C55D850E6177551DB9137BCE2A9A233776F84EAFA239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049794Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:24.763{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3D58A26C4E4ACEECB05BEA94CA2D1F,SHA256=5B9CF31696ED79206E5B69644DE299945356393ECAD2B7EC9AFAD69B54DF39A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026832Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:24.750{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4B2D185221183BDED925390DC256C19,SHA256=18DEDEDE01566D5C91C95F8806BAA1F36E16E49ADEB4725B5B29A1B64B164353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049795Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:25.856{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D7529E34FEF833E1B73FA66DA345E7,SHA256=FA661E3C466522664019887C2FF89508BD40749084E889EAB213DB170BB904B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026848Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.576{4A7D70D7-646D-6140-9406-00000000F101}19203520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026847Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-646D-6140-9406-00000000F101}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026846Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026845Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026844Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026843Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026842Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026841Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026840Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026839Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026838Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026837Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-646D-6140-9406-00000000F101}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026836Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.389{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-646D-6140-9406-00000000F101}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026835Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:25.390{4A7D70D7-646D-6140-9406-00000000F101}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026834Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:20.791{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049796Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:26.919{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D8BC6492B79049E595A59320B09DE3,SHA256=9A9E3C20856E68E378B5CFAB4AC6004B7CA2BDFEBDC45E7CC7FECDFE8E871751,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026878Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.873{4A7D70D7-646E-6140-9606-00000000F101}32643436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026877Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-646E-6140-9606-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026876Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026875Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026874Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026873Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026872Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026871Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026870Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026869Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026868Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026867Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-646E-6140-9606-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026866Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-646E-6140-9606-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026865Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.733{4A7D70D7-646E-6140-9606-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026864Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.406{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7728B0FBD7C6AD1A542A82B225CFD1BE,SHA256=4A49517510E946661D81B3D2A1A3F7AE2798E5482DB5DC1C567B0D13BDD75D50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026863Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.266{4A7D70D7-646E-6140-9506-00000000F101}36161220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026862Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.233{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC412B79F0EFA6696A06F16BB1D133C8,SHA256=5E51384047ACB13F21D691E6549CB30C2A33F0CA26E159F8966151925D6F05E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026861Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-646E-6140-9506-00000000F101}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026860Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026859Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026858Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026857Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026856Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026855Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026854Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026853Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026852Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026851Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-646E-6140-9506-00000000F101}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026850Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-646E-6140-9506-00000000F101}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026849Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.061{4A7D70D7-646E-6140-9506-00000000F101}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049798Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:27.934{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F051976C37CFA840E652C05AB73730D1,SHA256=62288C69A85C3331B672BAA38418CA337F065E6F421182337D723CB45A30089D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026893Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.842{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06FA6CEBDF974966F2E334F2CB6338CF,SHA256=AFB4EC3E907885C6EA451B4C4F0FEC25A4444F37F0990BF371626A8AA9838877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026892Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-646F-6140-9706-00000000F101}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026891Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026890Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026889Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026888Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026887Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026886Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026885Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026884Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026883Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026882Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-646F-6140-9706-00000000F101}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026881Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.608{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-646F-6140-9706-00000000F101}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026880Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.609{4A7D70D7-646F-6140-9706-00000000F101}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026879Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:27.279{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F51B1891C801033585A7E00F9A95A6D,SHA256=266B2F4AF65BA9EC7CF58D4EA54F2E739D2A2B7C0D166974014EAD6EE910ADA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049797Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:25.301{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50705-false10.0.1.12-8000- 23542300x800000000000000049799Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:28.950{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C7D90BD3AFFE6A9EDA0EA22FA5FD48,SHA256=7699663AB367024B11262243DD650954AE51123E11EB118E603FBC2E7BF21423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026894Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:28.483{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845768D992C75FECB714576D9562B1CB,SHA256=1B7C9A7C6D0E91CC480D2C5847E419D662D3635DCB9DB81943F4866DC4FC5AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049800Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:29.981{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9730DA017F4E6008B579D9B413E41F2,SHA256=186F033A01283BE53D01EC736383BAC1AE5BF6647F6E8451146BB08D0C7CBDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026895Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:29.514{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCABCE6A35CBE29922606FE2672C60D6,SHA256=977435B90B4654FF63622B421D02B542DCBF9F743FB023B84656D094D6781742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049805Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:30.995{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A893C33F79B25E5E516562B22E62ECF9,SHA256=72364ADB77396A7F68733B3DCD230B5F0744D365D7107CE02A656F85CE7BEADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026897Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:26.601{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51001-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026896Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:30.529{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D701F737EA8B1FC62ACCA6C36EC6CD,SHA256=8E1D3C9C132C8A070969F8E7E2D3A152B989B3C5C96A5B2BD1A6C0093BA45AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049804Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:30.808{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=CD583DCA9C6E21FFDAA48757D121EA69,SHA256=954C70F63C07F09E1DA47A77749E87274EA21729B74EF6647118A7A1F78565FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049803Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:30.808{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=DCDF1DC19D96D12D1189D09267820BA1,SHA256=1E2C6D5F050A536A0B3DF1A89B7128EB508EE59AE353437CABF5B06DD963DB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049802Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:30.808{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=A57AAA953D281D53DC056CE898F62008,SHA256=A2A9A831D2723664BA540176996644E8B335CE92A34AFDB6251ECF21F7D0A72D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049801Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:30.171{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-112MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026898Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:31.545{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE03BE402C81AB06ECD0370B46D82AD,SHA256=11FDC6232B83BF8B802CE3B56BF9CA83272E5816B63532B61CAF60FF116EB63B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049807Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:30.331{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50706-false10.0.1.12-8000- 23542300x800000000000000049806Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:31.184{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026899Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:32.701{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF7E9F02837EBFB137E77AF88C70337,SHA256=6F84F562ACCC3A6C89F692A76268D7EE249A5952D616F6FDF090FFDDC98DD250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049808Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:32.122{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4D9C9C0E10DC066949996CD2673AA1,SHA256=267E803452681527F6C1A1F4E7FFDC9FCFC913856B213E7D86672A32F27938AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026900Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:33.717{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BBA5F5E1F4494ED5A19BC3C3FD6C27,SHA256=07F11D8DD827BAC0F9EBDBD62D5435A665FFFD0F9D3022B2DE0AF6328F8650C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049809Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:33.122{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628C075FCACCFD288580E6311A8B5BCC,SHA256=BCCA5B7A64EDA9205DB00F65E00D78F9E2F764F8037C20BDBF68102131E2C35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026901Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:34.733{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FBB364AB724267366331FD22C852F8,SHA256=2762FFE86E7BEF87D5CA44B59F040439A5B2D37DB3B6C13F951E45D03C6E023B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049810Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:34.169{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348AB14398CA3B04F4EBDDC0775FF8B4,SHA256=E9CCC91876492AD5F9BC1FA347612F68414121B54F0DD142BC71095085A2E6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026903Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:35.764{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518131E3754999032F16CE635078C6DE,SHA256=E194DDE77E95F2D420BBD955C82394CDD171571ECF11ED975DD3B43A12874327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049811Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:35.169{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E700E715FC394D7F0A36BBF2D59DB25,SHA256=61789E9BBBD034D8A498677F2E88E2BDE9BDF1D6D7CC6F4776BB6B9C7E9AD2FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026902Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:31.773{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026904Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:36.983{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACBD61EFBC13A1C57B5F1C53CFA45B2,SHA256=5C99BB135040572CE3325DE94223A537FEC9A7899385E40686B911BFA7A07608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049812Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:36.200{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DAD9DDE01952F2DFD0C950F186C856B,SHA256=1CAE08F0E9222279B3D5CC4E433721EE4838B02066E7617B8418D594B653EE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049814Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:37.278{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABF5179300A1A9B18A459C7B68F3D5B,SHA256=B510056374E8D3AFE133646FA8401E704F5DCDC12A9FC48ABADB0342F2BB91ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049813Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:37.184{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026905Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:37.998{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E875E4CE838D0C74E7E8C004A0DEC8E,SHA256=41C4953F247397B15D83CCF45386BBDDB41C41EB189AC04654C20BE9B5E78E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049816Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:38.309{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F883D337338F996389C66894E131523,SHA256=233A563D51BBBD3764C2E5503984B6D58F9EFDFAF0551F5F701C73E84242A35A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049815Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:36.301{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50707-false10.0.1.12-8000- 23542300x800000000000000049818Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:39.325{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333D511C210B1B0543BEA47517056262,SHA256=7D4F11023EF4272E32BB3A7A9E8722080F06069F8532C88271E5DAFBD0D0BDC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026906Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:39.014{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF876A6AE7D31E743CE1091A0B98835,SHA256=A64CF9812370EBDE1FE78D3C3DA90289BE5507B7D11FDC0FE80BE901E79A1342,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049817Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:37.286{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50708-false10.0.1.12-8089- 23542300x800000000000000049819Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:40.356{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB56B03238C969B4103F80F846AB156,SHA256=42739D86058676AA07E673EDC89D9A0FEBD5C780D80478B203AAF2869E021A9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026908Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:37.711{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026907Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:40.029{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5B038FAA33908E3ED5C46CCEEE6A1C,SHA256=1673CB3D9E3E175226740CCC390885B1B0F8D04E77B2F44A81A9984FAB58AF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049820Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:41.372{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569A3A4DB047E76A20BEDC6C24E6460F,SHA256=8D65F9D0627CDFD799B975230B219D93D942BFCBC0FF1A7A4F70CF97B3FD8749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026910Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:41.266{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-102MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026909Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:41.045{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FA3BC56AA1714A346FDA3EDBC895A4,SHA256=D2A928C23E17791BEB509EC391DAA482EB4D82C2896112D20D6F77DF3583D649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026912Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:42.279{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026911Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:42.059{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A57A5C6674EBE2354A1D52EC8AE053,SHA256=19D61F5274FF685977D34D9430B4A95031A216FAA8BACCF2AA84C5545D2FB047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049821Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:42.419{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F353B78E04AFBC4D9F82ABFA89BF30,SHA256=A725EFFD1A739CDE03CE87E8CD13D0A84B67DD8D29017C19EA2508DD5A1F2D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049823Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:43.466{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91997C0753A86CEA53D877B9044DF88C,SHA256=243733D2D77924756ABBBE179887BE8A130AC29A0B1E924A1A58EC7F4CF1CDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026913Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:43.060{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46AE67ABEC06047BA2C3BEB7DB7F3BAF,SHA256=640FC81E138263645E4BA69033E6C0380E9A208F509ACCBF3D6E165ACC375405,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049822Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:42.317{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50709-false10.0.1.12-8000- 23542300x800000000000000049824Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:44.481{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B094ABB62DAA33AFA58BB46F1C6F741,SHA256=10300FDFBCF1416AF77E7777C6E67C56E4CDD1D7BD9FB315CE5EFCCF08377676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026914Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:44.076{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E20EEB762B64E6526E2F562BA03BB48,SHA256=44A5652A83D445DF2FBF78A99AE34EFFA3011A7142B23CE40374592822840DC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049860Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049859Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049858Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049857Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049856Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049855Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049854Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049853Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049852Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049851Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049850Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049849Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049848Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049847Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049846Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049845Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049844Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049843Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049842Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049841Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049840Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049839Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049838Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049837Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049836Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049835Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049834Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049833Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049832Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049831Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049830Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049829Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049828Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049827Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049826Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.673{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049825Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:45.486{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CC465225CFD381260581B10BFA739D,SHA256=77CA5090F66C3DFDB885299D8BFAF69AD7322D4AD6758647103FC4C67B10C1BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026916Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:42.804{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026915Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:45.081{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5ABC5F83E8DA6DA1D309D1A08E7CB4,SHA256=AD5572CB34FC0D42442CD74F9B1ECEB627A0C465B0ADF05A4C71B832D006BA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049861Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:46.892{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123A3B419D646265FB5916509FE5FD89,SHA256=E664441049B9215F5576F87A120330A314F8457280F8C9434BC7ACB9F2B27884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026917Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:46.097{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CB0431578A1D349AA1C4EF296F0F6B,SHA256=3731171714E6211B07F4742E81697CB9CE3D97E117DDC36FD260420B236647C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049872Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.892{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C32DC9A70DDA698BE6990682CD6D41D,SHA256=3F465AC7A5651FFB1D727E40CEDDF0A7A631473681AB279BB65C9967C6C7F42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026918Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:47.112{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8395A19C645E9824B11DBF70569D34A9,SHA256=C2F103978BBF1879E0BDF6E2E0972D4EECC6F13CAE10C16A138B19EDAF8DCE38,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049871Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.548{C8F4C507-6483-6140-3E09-00000000F001}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049870Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.548{C8F4C507-6483-6140-3E09-00000000F001}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049869Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.548{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6483-6140-3E09-00000000F001}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049868Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049867Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049866Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049865Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049864Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.548{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6483-6140-3E09-00000000F001}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049863Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.548{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6483-6140-3E09-00000000F001}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049862Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:47.549{C8F4C507-6483-6140-3E09-00000000F001}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049895Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.908{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD231666FD4779C36FCC2A661131EF0,SHA256=F3F329D849DE302BB99FD2D4B60CDD1F684B354C2A209DB8E9A92EFE3CA2596F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026919Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:48.128{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7BBC5470890351B73E4F0555EAF8C3,SHA256=D34CE8420115F2EB25A4F081395430A302B684DD287B8B097A72CC28A4AB66A9,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049894Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.892{C8F4C507-6484-6140-4009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049893Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.892{C8F4C507-6484-6140-4009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049892Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.892{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6484-6140-4009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049891Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.892{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049890Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.892{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049889Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.892{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049888Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.892{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049887Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.892{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6484-6140-4009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049886Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.892{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6484-6140-4009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049885Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.893{C8F4C507-6484-6140-4009-00000000F001}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049884Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.689{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AD466AE128AA6CBE25836300E70A691,SHA256=B2367D89A216715D1BA308CF0BD1969F931E89F3C02DE62FF4B8575597681BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049883Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.689{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ADF578B1D56F4584BFD048B3D72539C,SHA256=496DE4D0274FA2C6BA9ACFAA0F4500F9F1504C17A72BABD490AAB7467A7CF076,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049882Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.220{C8F4C507-6484-6140-3F09-00000000F001}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049881Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.220{C8F4C507-6484-6140-3F09-00000000F001}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049880Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.220{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6484-6140-3F09-00000000F001}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049879Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.220{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049878Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.220{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049877Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.220{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049876Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.220{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049875Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.220{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6484-6140-3F09-00000000F001}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049874Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.220{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6484-6140-3F09-00000000F001}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049873Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.221{C8F4C507-6484-6140-3F09-00000000F001}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049899Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:49.908{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AD466AE128AA6CBE25836300E70A691,SHA256=B2367D89A216715D1BA308CF0BD1969F931E89F3C02DE62FF4B8575597681BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049898Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:49.908{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45BA1C3EB06413E1CAE2105DC3B5A99,SHA256=1687CCA6B682ABF6850B45FDD02FF3294019A411C14F3B4C7601EFA701BE0A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026920Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:49.128{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCD8947890C3F33F8CE5EB67903DD98,SHA256=9CC43FF237170912E60CA19474F3A8AE76975D01A5FB27AC24518AB4655EFA7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049897Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:48.197{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50710-false10.0.1.12-8000- 10341000x800000000000000049896Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:49.064{C8F4C507-6484-6140-4009-00000000F001}64206876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049900Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:50.923{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008CBC15D3A5A16F44310E1641C1E9B4,SHA256=58B49B131C9FC1732BF0CF5B0E1EE71A330696E966A291031A2BEE6919DB1FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026921Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:50.144{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749820E58F15FC353C2615EDB1E7AF5A,SHA256=7211664409E3450D2F23A0B0C1A0B089F4AAC2E28AB1303D68564716D83D896A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049913Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.923{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9D342A01F15C34985F9FF6FC5DD97B,SHA256=E463AACF9505D525CDF95B58D42838C46E973139D8FCB72C2DD534B61442049C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026922Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:51.159{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E923F268026FBDDA8639F48ED7C404B,SHA256=29CD59D7FDD8A05010E969D0CD08DEFFFEFBD1451E276AD90A9871AB06EA3875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049912Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.658{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AACE510E0FE91F4AD54CA09583CAC14,SHA256=4D927968999AF4E99DBB874149325C5C18C9F79B2D580451102CC775B3FC39A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049911Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.564{C8F4C507-6487-6140-4109-00000000F001}64806408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049910Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.361{C8F4C507-6487-6140-4109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049909Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.361{C8F4C507-6487-6140-4109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049908Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.361{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6487-6140-4109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049907Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.345{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049906Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.345{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049905Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.345{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049904Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.345{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049903Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.345{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6487-6140-4109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049902Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.345{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6487-6140-4109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049901Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:51.346{C8F4C507-6487-6140-4109-00000000F001}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049927Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.955{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D43CB5E81D54636E43902E1C9B2D35,SHA256=13323AD8DBE044C5C0331167C12D3B8A8781B8E9E8505CFF75C6C17A43BCED52,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026924Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:48.778{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026923Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:52.175{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1397FC4CF0824E4F56EC1C24EC662,SHA256=C9DBA94DFC84D9D6689C874F2BBFF81B6AF3C138868AAB86FED7056F7C21EAD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049926Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.767{C8F4C507-6488-6140-4209-00000000F001}59166244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049925Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:50.759{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50711-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000049924Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:50.759{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50711-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 734700x800000000000000049923Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.548{C8F4C507-6488-6140-4209-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049922Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.548{C8F4C507-6488-6140-4209-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049921Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.548{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6488-6140-4209-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049920Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049919Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049918Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049917Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.548{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049916Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.548{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6488-6140-4209-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049915Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.548{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6488-6140-4209-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049914Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:52.549{C8F4C507-6488-6140-4209-00000000F001}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026925Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:53.237{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89FE5695098A9056E8FE6DD253B8F2D,SHA256=5C79F7111504F4D55068A4CAD9F88BEC83E96FFC235CC0A0757A5FA3F84AC744,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049949Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.845{C8F4C507-6489-6140-4409-00000000F001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049948Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.845{C8F4C507-6489-6140-4409-00000000F001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049947Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.845{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6489-6140-4409-00000000F001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049946Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.845{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049945Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.845{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049944Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.845{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049943Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.845{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049942Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.845{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6489-6140-4409-00000000F001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049941Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.845{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6489-6140-4409-00000000F001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049940Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.846{C8F4C507-6489-6140-4409-00000000F001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049939Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.720{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C996247FA842BE708DFFDA41B0BA9EE3,SHA256=2CBBFE8812BC76EEB41A9765C2895DAE24CBF70CA2CDBECD4229B4A25223071B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049938Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.345{C8F4C507-6489-6140-4309-00000000F001}69285340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000049937Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.189{C8F4C507-6489-6140-4309-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000049936Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.173{C8F4C507-6489-6140-4309-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000049935Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.173{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6489-6140-4309-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049934Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.173{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049933Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.173{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049932Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.173{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049931Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.173{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049930Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.173{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6489-6140-4309-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049929Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.173{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6489-6140-4309-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049928Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.174{C8F4C507-6489-6140-4309-00000000F001}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026926Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:54.269{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376B81634A8657ABDC9E71882FCD077B,SHA256=4A501AC9D309967468CE4AD07DBA29AFDC94DFAB20DA9F6A88BB2DAB07AC6FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049952Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:54.845{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F074FE1C73878EF791EF916065E58A9,SHA256=D0D0BF6B363D47BBE8B6D7430185137580CE2317695BE31F4F3FA1A1F7F2E624,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049951Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:53.322{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50712-false10.0.1.12-8000- 23542300x800000000000000049950Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:54.001{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A537DA6A0F7170EB28202EA0548D67,SHA256=BCB8B9B9F3A6E87A3B9FE6A9E5B06B875AA27CB78E202CF639984766533FFC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026927Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:55.472{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3176172CB7A154D2989E830E9A40B249,SHA256=C9DF26C5323D9B39C5030FE9727041A685CF2ABDFAA51876BFC4F856FC45AF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049953Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:55.001{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF344CA42491CAA2C1B4EDC51CDB4E35,SHA256=5169FF327117FAEB0D8A6EA287F98B2464B654022999437D928C53AD51EBCE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026928Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:56.581{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4500CAA8707676FE0E3807CA80BC25,SHA256=806566103F03AC4C8AC03EB15CF48B491E8678FF95D3428F707C8F6E9B6E802A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049954Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:56.017{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38111D26C5D88EEFC7BCF177752A1478,SHA256=4EA1F84AAB1443FBAEF8CFC08B102066C5643696E00C747E3EBAEBD00C35B240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026929Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:57.690{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE335D4273AC235E7AC95D215069BF01,SHA256=80E68D115D67939EAC948C783F3DE5C835933DFD895157158E8443BC32419603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049955Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:57.017{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45DDCF30F77D6B472CCE84F5524B26B,SHA256=41CA382D7919ADE4504D1077AE802D0BCA8A69E5A0F6E1EFC6EDD2FCAAF19320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026931Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:58.909{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB48E2C269E50F6C27BC637E95ACCCE,SHA256=843DC4FFD90E0C000984B31AA9873CD0A033E97E22B951D0010C581911786B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049956Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:58.017{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B0ADF5CDE490F91BA3CBE77CBFE1C8,SHA256=22F1FADBC2A12DAFA50DD35CA8F952A9225A7DC76B00562EF5E1A2923A236B7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026930Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:54.622{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51006-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049958Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:58.337{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50713-false10.0.1.12-8000- 23542300x800000000000000049957Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 08:59:59.033{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FADCD14B1A2F980ECC8270D6597AEE,SHA256=D6B2A05ACBFA23DB361C81D7AF92E08B003EE86A832A15F7987E13C793BFF359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026932Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:00.081{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE711A5E92CCABC1208BA8239630D31,SHA256=1570E3886E97813E503D558C1FF52083C20A63876D057DFA9BDB2710B19599DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049959Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:00.048{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C21097F8FA7B11555CA83ABCF253E6,SHA256=9AAC746D772839B106DC7C780D977175BEBAD9F4E8C274330BDA146407691883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026933Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:01.206{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8058D979105A029B3F36F4A032BDD3,SHA256=80FAD5F5C8EE862476BCA9DBC6E82051423E394D0FC380D131AFA94522FAD7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049960Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:01.048{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF245490F0BB107FA579165110BC28C2,SHA256=14DAFF04EC43543A9DB714594216D856A4E47C95ADCC335B21444FCF924AA76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026935Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:02.659{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=56F307CB49841F9B4BCC23C8B4FBFD63,SHA256=113977D56D52BF0C4901FEBB07C8B54DC9CE65A3D50282C538862C94EF2A56BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026934Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:02.253{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF1E1E3C322937582B18ABE7066ED16,SHA256=6C6219D9E26F8B8F9311BF01E0798DACE8FB608E2C3CEBE0A09D7B078E06B216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049961Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:02.048{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DE052BCD27265161246BB7BF2F8B56,SHA256=9872E0CF4F40240CD6B223FFA13503507F6C6C9153436C59A86364A30C3DDD31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026946Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.769{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026945Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.769{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026944Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.769{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026943Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.769{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026942Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.769{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026941Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.769{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026940Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.769{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026939Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.769{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026938Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.769{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000026937Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 08:59:59.809{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026936Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.315{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474674B99A04275002A2614EF677A37F,SHA256=ADBC77A588C569FC94BEB7C81F778DFCBB519B66B8F3E5D22A506BA7E80A807A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049962Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:03.066{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AADBAD3FB6FE3721E53B001EC4C7058,SHA256=B24A8E17A76C6E9A276BD6EFB4FF9F66AE6F94DBBA9937558A94BC9D757638D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026963Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.644{4A7D70D7-4BB8-6140-1000-00000000F101}944NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026962Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.644{4A7D70D7-4BB8-6140-1000-00000000F101}944NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00000.domMD5=338F5A9E4E606FC803055C8314E3F366,SHA256=DD15D6AD575AD10CBA979783EE68DC6A5A21ECDABDB4E0678F83870931BBD317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026961Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.597{4A7D70D7-4BB7-6140-0B00-00000000F101}6323352C:\Windows\system32\lsass.exe{4A7D70D7-4BB5-6140-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000026960Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.597{4A7D70D7-4BB7-6140-0B00-00000000F101}6323352C:\Windows\system32\lsass.exe{4A7D70D7-4BB5-6140-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000026959Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.597{4A7D70D7-4BB7-6140-0B00-00000000F101}6323188C:\Windows\system32\lsass.exe{4A7D70D7-4BB5-6140-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000026958Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.534{4A7D70D7-4BB8-6140-1500-00000000F101}10281712C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026957Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.519{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026956Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.519{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026955Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.519{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026954Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.519{4A7D70D7-4BB7-6140-0B00-00000000F101}6323188C:\Windows\system32\lsass.exe{4A7D70D7-4BB5-6140-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000026953Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.316{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A30F576BE0FE7C056F9336E98E615B,SHA256=EBD744701B0D030DE4407CBE967BE370F42C5831EEF6C6AF46E880286EC1A50B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049966Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:03.888{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54294- 23542300x800000000000000049965Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.892{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13E8622997EC5820DDFFA0BBC62A08ED,SHA256=1BF0E5CF323AB0A384AEA559B64A5AA928D24D1F462590D591E93596DB88FCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049964Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.892{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7347664FD8A9F7A6A40A3DBD4C8FCCF,SHA256=3B47778153F8D0818F54D3607173415E6579AA23FDC10A42DC5D41A400AC8E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049963Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.080{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667F288B2734DC43D14A2C9D666AE652,SHA256=4C5A2EAD0CA3C757D8AA01E6DFDE9D9BEC8E2F721907E5F55E77ADB7CEB38E50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026952Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.081{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026951Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.081{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026950Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.081{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026949Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.081{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026948Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.081{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026947Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.081{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000027000Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:02.443{4A7D70D7-4BB7-6140-0B00-00000000F101}632win-dc-158.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 354300x800000000000000026999Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:02.638{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51010-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389ldap 354300x800000000000000026998Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:02.437{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51009-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49666- 354300x800000000000000026997Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:02.435{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51008-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal135epmap 354300x800000000000000026996Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:02.328{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-574.attackrange.local54294-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389- 734700x800000000000000026995Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.397{4A7D70D7-6495-6140-9806-00000000F101}3804C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000026994Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.428{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60F3B66F621C77D0A60F2C01BB8C028,SHA256=B4E1587542228C7A8F6A37B34F50B5D3A1C6A600E741985D5DEEB59181539252,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049969Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:03.997{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51009-false10.0.1.14win-dc-158.attackrange.local49666- 354300x800000000000000049968Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:03.995{C8F4C507-4938-6140-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51008-false10.0.1.14win-dc-158.attackrange.local135epmap 23542300x800000000000000049967Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.083{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51820A333DE84C0B94560DFBD3304347,SHA256=BED6CFF121ECF7E1A3CF2D3B0DB721CD7CFBDEA05A025E862D9D7A227C2B3A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026993Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.242{4A7D70D7-4BB8-6140-1000-00000000F101}944NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026992Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.195{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8B62222F41BE45B09C54399FA79470D,SHA256=87737353D2452F67A74097CA995CC44907E994CB95ACAC5D16ABFF4AE8BED887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026991Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.195{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86D5A5CB3E2DD24931624974779D7C85,SHA256=9FD5DE70BBCDC75A976178D5302EA179FC72F02341E9169CC037C05F2DFBAE37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026990Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.162{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026989Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.162{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026988Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.162{4A7D70D7-4BB7-6140-0B00-00000000F101}6323764C:\Windows\system32\lsass.exe{4A7D70D7-4BB7-6140-0A00-00000000F101}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000026987Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:00:05.147{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000070b) 13241300x800000000000000026986Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:00:05.147{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x800000000000000026985Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026984Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026983Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026982Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026981Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026980Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026979Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026978Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026977Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026976Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026975Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026974Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.131{4A7D70D7-4BB7-6140-0C00-00000000F101}7283084C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026973Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.131{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+82744|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026972Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.131{4A7D70D7-4BB7-6140-0C00-00000000F101}7283084C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026971Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.131{4A7D70D7-4BB7-6140-0C00-00000000F101}7283692C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+82744|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000026970Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:00:05.131{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x800000000000000026969Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.131{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026968Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.131{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026967Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.131{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026966Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.131{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CE43E9E3457CE31C795B843E0D75B335,SHA256=A19AFA9B6E8E962A49C287E3A5D5B8EC3037643CDDDF9BBC2D249C943DB31F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026965Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.131{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8ECCB4F9C9334482EDE13C8D2014F29F,SHA256=CA6EC11406F6409D387180FA9DE4B2DD89CF80CC541DD7CD33E8952877A974BD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000026964Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.localT1101SetValue2021-09-14 09:00:05.084{4A7D70D7-4BB7-6140-0A00-00000000F101}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 22542200x800000000000000027012Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.983{00000000-0000-0000-0000-000000000000}3804win-dc-158.attackrange.local0::ffff:10.0.1.14;<unknown process> 354300x800000000000000027011Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.702{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c800:91b0:82b6:ffff-58835-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000027010Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.702{4A7D70D7-4BB8-6140-1500-00000000F101}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:4f2:2235:5ebe:f462win-host-574.attackrange.local58835-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000027009Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.152{4A7D70D7-4BB5-6140-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51013-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000027008Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.142{4A7D70D7-4BB5-6140-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51015-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000027007Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.141{4A7D70D7-4BB5-6140-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51014-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000027006Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.079{4A7D70D7-4BB5-6140-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51012-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000027005Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:02.762{4A7D70D7-4BB8-6140-1000-00000000F101}944C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51011-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389ldap 23542300x800000000000000027004Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:06.553{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F064B34325CD33ECF843FF49D4B635,SHA256=3C5102809DE1D83882D1534D7C6B6AE9BF9312B05754362926AF7ABE3CD71B0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049988Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.658{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51020-false10.0.1.14win-dc-158.attackrange.local88kerberos 354300x800000000000000049987Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.656{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51019-false10.0.1.14win-dc-158.attackrange.local88kerberos 354300x800000000000000049986Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.653{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51018-false10.0.1.14win-dc-158.attackrange.local88kerberos 354300x800000000000000049985Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.545{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53024- 354300x800000000000000049984Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.534{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal53023- 354300x800000000000000049983Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.531{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51017-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000049982Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.478{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51016-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000049981Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.285{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal55531- 354300x800000000000000049980Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:05.284{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal64583- 354300x800000000000000049979Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.722{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51013-false10.0.1.14win-dc-158.attackrange.local445microsoft-ds 354300x800000000000000049978Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.712{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51015-false10.0.1.14win-dc-158.attackrange.local445microsoft-ds 354300x800000000000000049977Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.712{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51014-false10.0.1.14win-dc-158.attackrange.local445microsoft-ds 354300x800000000000000049976Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.639{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51012-false10.0.1.14win-dc-158.attackrange.local445microsoft-ds 354300x800000000000000049975Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.322{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51011-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000049974Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.214{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54295- 354300x800000000000000049973Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.198{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51010-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000049972Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:04.181{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50714-false10.0.1.12-8000- 23542300x800000000000000049971Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:06.130{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13E8622997EC5820DDFFA0BBC62A08ED,SHA256=1BF0E5CF323AB0A384AEA559B64A5AA928D24D1F462590D591E93596DB88FCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049970Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:06.083{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E3CEA2347EC04060AB3A09828A5233,SHA256=A9900E7F90C4A09ACE3B94A385AF72878FDCC99F56D2FDB4B0C6DC53D1493AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027003Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:06.538{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8B62222F41BE45B09C54399FA79470D,SHA256=87737353D2452F67A74097CA995CC44907E994CB95ACAC5D16ABFF4AE8BED887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027002Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:06.147{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5171D1A4096A1C8DEAC77EA06F6FB40,SHA256=248811211DEF0832A9EA61509EACA22230425841DB457C6CD968C31601AB6378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027001Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:06.147{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D452F7FA7900CE4FF07E9BEB986BE2FC,SHA256=8ADA89E5AE2411BFFCAEEE8432D2D56A2FEEBE9E41ABB58F94B858DA1E26D71E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027016Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.098{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51020-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal88kerberos 354300x800000000000000027015Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.097{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51019-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal88kerberos 354300x800000000000000027014Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:04.094{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51018-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal88kerberos 23542300x800000000000000027013Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:07.584{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716B62CFE3264F11ED487DCBF372B368,SHA256=0F500C0CB7FE2438F3CB2BFDAE599851877353887F9D4CC97D0640616855CF8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049998Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.989{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049997Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.973{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049996Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.973{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049995Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.973{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049994Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.973{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049993Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.973{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049992Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.973{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049991Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.969{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\HelpPane.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Help and SupportMicrosoft® Windows® Operating SystemMicrosoft CorporationHelpPane.exeC:\Windows\helppane.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=380E52A1BD6E6EA3BF1BAD332BF23FCC,SHA256=0401B8AEB5915E42828A2611141FD330AB45ECA7086D138543295F5E5D7268DF,IMPHASH=14B8CA748B7952F9162EB873CFAC09F4{C8F4C507-4937-6140-0C00-00000000F001}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000049990Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.801{C8F4C507-4938-6140-1400-00000000F001}10643556C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049989Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:07.114{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5905AB45B8D64FDE6C2DCFBAAF5400B1,SHA256=A41222CFC82B955B558EBBD5D94129F71D2A42DE9E375CDDA7C254A7BA58032E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027019Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:08.725{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F64386DC52D30D65440A23EE078192,SHA256=FF9A7266A58D5E9AF8362DD7EFD5AC56B9C353018FCBEA414AEEDB6CC8B4C811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050024Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.973{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5E0BCCBD26EA9AFBF05F15C06314F6B,SHA256=9991FCA9C3BF4D4F9574FA5CF59368E590E3DDE8C73EBFB1BF19DE48BB857789,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050023Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.895{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050022Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.895{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050021Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.817{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\IEFRAME.dll+da825|C:\Windows\SYSTEM32\IEFRAME.dll+da7a3|C:\Windows\SYSTEM32\IEFRAME.dll+da71d|C:\Windows\SYSTEM32\IEFRAME.dll+da52e|C:\Windows\SYSTEM32\IEFRAME.dll+2a7750|C:\Windows\SYSTEM32\IEFRAME.dll+152a14|C:\Windows\SYSTEM32\IEFRAME.dll+d9b81|C:\Windows\SYSTEM32\IEFRAME.dll+152a9f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050020Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.802{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050019Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.802{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050018Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.676{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050017Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.676{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050016Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.676{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050015Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.676{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050014Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.676{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050013Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.676{C8F4C507-6497-6140-4509-00000000F001}63606428C:\Windows\helppane.exe{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80256|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+3d473|C:\Windows\System32\SHELL32.dll+3d33b|C:\Windows\System32\SHELL32.dll+3cc57|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000050012Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.673{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=528884C:\Windows\system32\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=DED3D744D46A5CE7965CE2B75B54958A,SHA256=70C9616C026266BB3A1213BCC50E3A9A24238703FB7745746628D11163905D2F,IMPHASH=9BB01C801600CEBDCA166D0534E98CE6{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\HelpPane.exeC:\Windows\helppane.exe -Embedding 13241300x800000000000000050011Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:00:08.645{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exeHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFFBinary Data 10341000x800000000000000050010Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.630{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050009Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.598{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050008Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.583{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050007Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.567{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050006Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.520{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050005Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.520{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050004Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.520{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050003Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.520{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050002Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.255{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050001Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.255{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050000Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.255{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049999Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:08.161{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D0549EB79ADAB27B39CC12172344AA,SHA256=74D43C6E180480F90A3C3B02F14208138B38C41E9B228D84E023B65687B08538,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027018Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.971{00000000-0000-0000-0000-000000000000}3804<unknown process>-tcptruefalse10.0.1.15win-host-574.attackrange.local51017-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389ldap 354300x800000000000000027017Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:03.919{00000000-0000-0000-0000-000000000000}3804<unknown process>-tcptruefalse10.0.1.15win-host-574.attackrange.local51016-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389ldap 354300x800000000000000027021Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:05.672{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027020Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:09.866{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ABE432BA8E567740622BDC1D206F60,SHA256=29CFCFACE894989CE35DBC33C116786A4C3FBA1F0A2502D71E54E532884C5584,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050060Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.567{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050059Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.567{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050058Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.551{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050057Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.551{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050056Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050055Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050054Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050053Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050052Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050051Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050050Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050049Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050048Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050047Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050046Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050045Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050044Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+6165e|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050043Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050042Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.395{C8F4C507-6498-6140-4609-00000000F001}63884424C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050041Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.348{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\iertutil.dll+36ee1|C:\Windows\SYSTEM32\iertutil.dll+36a90|C:\Windows\SYSTEM32\iertutil.dll+34cbc|C:\Windows\SYSTEM32\iertutil.dll+3506f|C:\Windows\SYSTEM32\iertutil.dll+48188|C:\Windows\SYSTEM32\IEFRAME.dll+2ba622|C:\Windows\SYSTEM32\IEFRAME.dll+4ac39|C:\Windows\SYSTEM32\IEFRAME.dll+4aa18|C:\Windows\SYSTEM32\IEFRAME.dll+4a920|C:\Windows\SYSTEM32\IEFRAME.dll+4601d|C:\Windows\SYSTEM32\IEFRAME.dll+2a7a26|C:\Windows\SYSTEM32\IEFRAME.dll+152a14|C:\Windows\SYSTEM32\IEFRAME.dll+d9b81|C:\Windows\SYSTEM32\IEFRAME.dll+152a9f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050040Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.333{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4809-00000000F001}6772C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050039Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.333{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4809-00000000F001}6772C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050038Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.317{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4809-00000000F001}6772C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050037Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.317{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050036Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.317{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6499-6140-4809-00000000F001}6772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050035Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.317{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6499-6140-4809-00000000F001}6772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050034Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.302{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4809-00000000F001}6772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050033Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.270{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+2702c|C:\Windows\SYSTEM32\iertutil.dll+28123|C:\Windows\SYSTEM32\iertutil.dll+36a21|C:\Windows\SYSTEM32\iertutil.dll+34cbc|C:\Windows\SYSTEM32\iertutil.dll+3506f|C:\Windows\SYSTEM32\iertutil.dll+48188|C:\Windows\SYSTEM32\IEFRAME.dll+2ba622|C:\Windows\SYSTEM32\IEFRAME.dll+4ac39|C:\Windows\SYSTEM32\IEFRAME.dll+4aa18|C:\Windows\SYSTEM32\IEFRAME.dll+4a920|C:\Windows\SYSTEM32\IEFRAME.dll+4601d|C:\Windows\SYSTEM32\IEFRAME.dll+2a7a26|C:\Windows\SYSTEM32\IEFRAME.dll+152a14|C:\Windows\SYSTEM32\IEFRAME.dll+d9b81|C:\Windows\SYSTEM32\IEFRAME.dll+152a9f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050032Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.270{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050031Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.270{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050030Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.270{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050029Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.270{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050028Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.246{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6388 CREDAT:82945 /prefetch:2C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=7D930D55986DF5C69CF1A9C2DE7E33B3,SHA256=BEBB0D2229700C6A62B7811985061DC75F6279AB0FF8747C47CCADB6CC2CC462,IMPHASH=E7542C041AAD637F8E6918BBE235A488{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=528884 10341000x800000000000000050027Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.224{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050026Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.192{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050025Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.192{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A0B2CF6E55230D285520A7324BE43B,SHA256=B41BB7EBC66B869A8D6132F0D604FA176DF2C237F1DC86DAE72445937D743EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027022Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:10.928{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C15209AD64F4AAAD861469C8E9CE8FC,SHA256=735D57B1BF7A03F1A78DF0B06C8E76F9F8F87F0E3FC979167A8656F81DED90CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050064Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:10.333{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027E6990C64652614F94938E70011A4C,SHA256=EDE363AE8B797045241CDEBA23C0F0EBD49B9202E6337676D740D4B4F39B692C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050063Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:10.239{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CA64DB30A2460854441FC62E8651B0D,SHA256=41BECFB5069F2B940093BB2A3C716736217A31EEDDC553454988E7F8C37846C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050062Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:10.239{C8F4C507-4938-6140-1600-00000000F001}13245100C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050061Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:10.239{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027024Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:11.959{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46EFBFEC0C58F8FA768062EA3A47DA8,SHA256=C9D26BE5618730E86F7FB25177426FB23DB0047B54AA9DCE259884E4593C8BA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050071Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:11.942{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050070Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:11.755{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050069Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:11.723{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050068Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:11.723{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050067Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:11.301{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F39270E954AC20A427C7D0D2B40F83,SHA256=5F336E0F6582115FD2FAD0C7A203EE9E91C395610B2EAB9CFFFC545F76A00655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027023Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:11.772{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050066Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.358{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local49518- 354300x800000000000000050065Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:09.247{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50715-false10.0.1.12-8000- 23542300x800000000000000027025Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:12.975{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F3EFA6827046C49F0B6CD8814C97FD,SHA256=45E7BF08B5F5AC52F6B38D2CCA018D416BE8F3B7AC48F4EE32244A6A52BC0B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050072Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:12.317{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B457CF5838C53C1A5E29C3D65B0AE5D,SHA256=3E6114803AEFE6F7CDD5662F1B18DB6926B0F6CD7966A1E32152846C8B2A6F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050076Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:13.364{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A6CF2F8ACBDB423722F88316A623A,SHA256=DDB59116E32D70EF52B95FC93D56A842B8FCB42269AC38B851D678B74563580F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027026Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:10.312{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000050075Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:13.148{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+ceeaa|C:\Windows\SYSTEM32\IEFRAME.dll+78a6a|C:\Windows\SYSTEM32\IEFRAME.dll+79f99|C:\Windows\SYSTEM32\IEFRAME.dll+7b7f2|C:\Windows\SYSTEM32\IEFRAME.dll+777d8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32c3d|C:\Windows\SYSTEM32\IEFRAME.dll+8201b|C:\Windows\SYSTEM32\IEFRAME.dll+4ae5b|C:\Windows\SYSTEM32\IEFRAME.dll+4aa18|C:\Windows\SYSTEM32\IEFRAME.dll+4a920|C:\Windows\SYSTEM32\IEFRAME.dll+4601d|C:\Windows\SYSTEM32\IEFRAME.dll+2a7a26|C:\Windows\SYSTEM32\IEFRAME.dll+152a14|C:\Windows\SYSTEM32\IEFRAME.dll+d9b81 10341000x800000000000000050074Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:13.148{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+ceeaa|C:\Windows\SYSTEM32\IEFRAME.dll+78a6a|C:\Windows\SYSTEM32\IEFRAME.dll+79f99|C:\Windows\SYSTEM32\IEFRAME.dll+7b7f2|C:\Windows\SYSTEM32\IEFRAME.dll+777d8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32c3d|C:\Windows\SYSTEM32\IEFRAME.dll+8201b|C:\Windows\SYSTEM32\IEFRAME.dll+4ae5b|C:\Windows\SYSTEM32\IEFRAME.dll+4aa18|C:\Windows\SYSTEM32\IEFRAME.dll+4a920|C:\Windows\SYSTEM32\IEFRAME.dll+4601d|C:\Windows\SYSTEM32\IEFRAME.dll+2a7a26|C:\Windows\SYSTEM32\IEFRAME.dll+152a14 10341000x800000000000000050073Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:13.148{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+ceeaa|C:\Windows\SYSTEM32\IEFRAME.dll+78a6a|C:\Windows\SYSTEM32\IEFRAME.dll+79f99|C:\Windows\SYSTEM32\IEFRAME.dll+7b7f2|C:\Windows\SYSTEM32\IEFRAME.dll+777d8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32c3d|C:\Windows\SYSTEM32\IEFRAME.dll+8201b|C:\Windows\SYSTEM32\IEFRAME.dll+4ae5b|C:\Windows\SYSTEM32\IEFRAME.dll+4aa18|C:\Windows\SYSTEM32\IEFRAME.dll+4a920|C:\Windows\SYSTEM32\IEFRAME.dll+4601d|C:\Windows\SYSTEM32\IEFRAME.dll+2a7a26|C:\Windows\SYSTEM32\IEFRAME.dll+152a14|C:\Windows\SYSTEM32\IEFRAME.dll+d9b81 23542300x800000000000000050077Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:14.442{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B2A915D68E7C0459A82009F39C837D,SHA256=41DCE42C155F2839E1E07426631A4E119A0CE5E98B7F57FDE588A5AAFE2C9E00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027028Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:11.687{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027027Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:14.006{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB025BAD921CA63664CB91E08485EA2,SHA256=C287F37CB4C6C3588985E214953A7C839343041CB7FA3B00EDEDFBECE37B337F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050078Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:15.458{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E572F9D6B01C0CCF924FF66928A8298,SHA256=88A8BC1767A0C4CD284230C2E17CA7A7DCC7A0B90F9A169726CA526AE1ACC394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027029Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:15.037{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1141098EF660CFE682F4E29C8430DB,SHA256=D94E4634F468E9AAEA4E76723DE3981AABB528E504873A923915BEF5B154D143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050082Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:16.911{C8F4C507-6499-6140-4709-00000000F001}4396ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\5X0NYBOF\dnserror[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050081Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:16.755{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000D.logMD5=E4C6676C78CC4C4D6F2567B9AC7017D2,SHA256=D81A3971AEB6E2F0A44D87FC1BE9A7028703FFC217D51B997BEA7F8191DF0C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050080Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:16.755{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000C.logMD5=E73B01A119FFF83FF73E2C932CF77FFC,SHA256=617FED653D274342F04FD3DC4D63581A928168A449E0B3A8A22F1D059A06C530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050079Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:16.552{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220BBEA8635C6D4D5A0A4743C8A84DB4,SHA256=ED2B99EF82FDDD1908D9040BC5695BA62EF45D276B006A0F6F0CD50BC62E57CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027030Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:16.053{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30F43BA34828945CC35B77750B24918,SHA256=DDEC15BC1147E046CCE7D723D5816BFFE598DD1E8069105DD1BC91B470AC9CF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050115Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.958{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050114Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.926{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050113Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.926{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050112Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.926{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050111Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.926{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050110Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.926{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050109Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.926{C8F4C507-5C87-6140-B607-00000000F001}33726064C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+1f9bca|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+175660|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+17c4a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000050108Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.937{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000050107Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.926{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050106Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.926{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050105Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.911{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050104Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.911{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050103Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.911{C8F4C507-6499-6140-4709-00000000F001}4396932C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bad58(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bad0f(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bacb6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a7dae(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b4bfe(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b4b4b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c130(wow64)|C:\Windows\SYSTEM32\urlmon.dll+77caa(wow64)|C:\Windows\SYSTEM32\urlmon.dll+78450(wow64)|C:\Windows\SYSTEM32\urlmon.dll+7856c(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+52e609(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+3dccc0(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+43c9c7(wow64) 23542300x800000000000000050102Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.661{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\Kno2727.tmpMD5=002D5646771D31D1E7C57990CC020150,SHA256=1E2E25BF730FF20C89D57AA38F7F34BE7690820E8279B20127D0014DD27B743F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050101Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.661{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\Kno2727.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050100Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.583{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDACF814F9C002C40015CD8C271BFFC,SHA256=046DC59C0C7626980EBF28699876D2C0661EDB80F31D620EC3030710EF89AE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027031Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:17.069{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FE85274609899D32953BAC19121421,SHA256=B475CA0BF106E46BF34BF5C2C819E1EE46C87127C9F1DB9D1B315874BC6A56F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050099Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.536{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+4f861|C:\Windows\SYSTEM32\IEFRAME.dll+4ed33|C:\Windows\SYSTEM32\IEFRAME.dll+d518d|C:\Windows\SYSTEM32\IEFRAME.dll+d59b1|C:\Windows\SYSTEM32\IEFRAME.dll+102cd6|C:\Windows\SYSTEM32\IEFRAME.dll+1026af|C:\Windows\SYSTEM32\IEFRAME.dll+1025b1|C:\Windows\SYSTEM32\IEFRAME.dll+1023d4|C:\Windows\SYSTEM32\IEFRAME.dll+102331|C:\Windows\SYSTEM32\IEFRAME.dll+42cce|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050098Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.520{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+4f861|C:\Windows\SYSTEM32\IEFRAME.dll+4ed33|C:\Windows\SYSTEM32\IEFRAME.dll+d518d|C:\Windows\SYSTEM32\IEFRAME.dll+d59b1|C:\Windows\SYSTEM32\IEFRAME.dll+102cd6|C:\Windows\SYSTEM32\IEFRAME.dll+1026af|C:\Windows\SYSTEM32\IEFRAME.dll+1025b1|C:\Windows\SYSTEM32\IEFRAME.dll+1023d4|C:\Windows\SYSTEM32\IEFRAME.dll+102331|C:\Windows\SYSTEM32\IEFRAME.dll+42cce|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050097Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.520{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+4f861|C:\Windows\SYSTEM32\IEFRAME.dll+4ed33|C:\Windows\SYSTEM32\IEFRAME.dll+d518d|C:\Windows\SYSTEM32\IEFRAME.dll+d59b1|C:\Windows\SYSTEM32\IEFRAME.dll+102cd6|C:\Windows\SYSTEM32\IEFRAME.dll+1026af|C:\Windows\SYSTEM32\IEFRAME.dll+1025b1|C:\Windows\SYSTEM32\IEFRAME.dll+1023d4|C:\Windows\SYSTEM32\IEFRAME.dll+102331|C:\Windows\SYSTEM32\IEFRAME.dll+42cce|C:\Windows\SYSTEM32\ntdll.dll+39cf9 10341000x800000000000000050096Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.520{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+4f861|C:\Windows\SYSTEM32\IEFRAME.dll+4ed33|C:\Windows\SYSTEM32\IEFRAME.dll+d518d|C:\Windows\SYSTEM32\IEFRAME.dll+d59b1|C:\Windows\SYSTEM32\IEFRAME.dll+102cd6|C:\Windows\SYSTEM32\IEFRAME.dll+1026af|C:\Windows\SYSTEM32\IEFRAME.dll+1025b1|C:\Windows\SYSTEM32\IEFRAME.dll+1023d4|C:\Windows\SYSTEM32\IEFRAME.dll+102331|C:\Windows\SYSTEM32\IEFRAME.dll+42cce|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a 10341000x800000000000000050095Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.520{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+4f861|C:\Windows\SYSTEM32\IEFRAME.dll+4ed33|C:\Windows\SYSTEM32\IEFRAME.dll+d518d|C:\Windows\SYSTEM32\IEFRAME.dll+d59b1|C:\Windows\SYSTEM32\IEFRAME.dll+102cd6|C:\Windows\SYSTEM32\IEFRAME.dll+1026af|C:\Windows\SYSTEM32\IEFRAME.dll+1025b1|C:\Windows\SYSTEM32\IEFRAME.dll+1023d4|C:\Windows\SYSTEM32\IEFRAME.dll+102331|C:\Windows\SYSTEM32\IEFRAME.dll+42cce|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050094Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.520{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+4f861|C:\Windows\SYSTEM32\IEFRAME.dll+4ed33|C:\Windows\SYSTEM32\IEFRAME.dll+d518d|C:\Windows\SYSTEM32\IEFRAME.dll+d59b1|C:\Windows\SYSTEM32\IEFRAME.dll+102cd6|C:\Windows\SYSTEM32\IEFRAME.dll+1026af|C:\Windows\SYSTEM32\IEFRAME.dll+1025b1|C:\Windows\SYSTEM32\IEFRAME.dll+1023d4|C:\Windows\SYSTEM32\IEFRAME.dll+102331|C:\Windows\SYSTEM32\IEFRAME.dll+42cce|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050093Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.520{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+4f861|C:\Windows\SYSTEM32\IEFRAME.dll+4ed33|C:\Windows\SYSTEM32\IEFRAME.dll+d518d|C:\Windows\SYSTEM32\IEFRAME.dll+d59b1|C:\Windows\SYSTEM32\IEFRAME.dll+102cd6|C:\Windows\SYSTEM32\IEFRAME.dll+1026af|C:\Windows\SYSTEM32\IEFRAME.dll+1025b1|C:\Windows\SYSTEM32\IEFRAME.dll+1023d4|C:\Windows\SYSTEM32\IEFRAME.dll+102331|C:\Windows\SYSTEM32\IEFRAME.dll+42cce|C:\Windows\SYSTEM32\ntdll.dll+39cf9 10341000x800000000000000050092Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.520{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+3282b|C:\Windows\System32\shcore.dll+3278f|C:\Windows\SYSTEM32\IEFRAME.dll+4f861|C:\Windows\SYSTEM32\IEFRAME.dll+4ed33|C:\Windows\SYSTEM32\IEFRAME.dll+d518d|C:\Windows\SYSTEM32\IEFRAME.dll+d59b1|C:\Windows\SYSTEM32\IEFRAME.dll+102cd6|C:\Windows\SYSTEM32\IEFRAME.dll+1026af|C:\Windows\SYSTEM32\IEFRAME.dll+1025b1|C:\Windows\SYSTEM32\IEFRAME.dll+1023d4|C:\Windows\SYSTEM32\IEFRAME.dll+102331|C:\Windows\SYSTEM32\IEFRAME.dll+42cce|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a 10341000x800000000000000050091Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.475{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81cf7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8033A46E8A8)|UNKNOWN(FFFFB464B6EA5B68)|UNKNOWN(FFFFB464B6EA0815)|UNKNOWN(FFFFB464B6EA1D3A)|UNKNOWN(FFFFB464B6E9FFF6)|UNKNOWN(FFFFF8033A186103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\SYSTEM32\IEUI.dll+54ab|C:\Windows\SYSTEM32\IEFRAME.dll+81c93|C:\Windows\SYSTEM32\IEFRAME.dll+4ae5b|C:\Windows\SYSTEM32\IEFRAME.dll+4aa18 23542300x800000000000000050090Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.442{C8F4C507-6499-6140-4709-00000000F001}4396ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\70A7KYNV\NewErrorPageTemplate[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050089Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.411{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050088Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.411{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050087Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.411{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81b7d|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\SYSTEM32\IEFRAME.dll+11df18|C:\Windows\SYSTEM32\IEFRAME.dll+80202|C:\Windows\SYSTEM32\IEFRAME.dll+8287a|C:\Windows\SYSTEM32\IEFRAME.dll+873a4|C:\Windows\SYSTEM32\IEFRAME.dll+c9f1e|C:\Windows\SYSTEM32\IEFRAME.dll+84641|C:\Windows\SYSTEM32\IEFRAME.dll+7974d|C:\Windows\SYSTEM32\IEFRAME.dll+7a289|C:\Windows\SYSTEM32\IEFRAME.dll+7b7f2|C:\Windows\SYSTEM32\IEFRAME.dll+777d8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32c3d|C:\Windows\SYSTEM32\IEFRAME.dll+8201b|C:\Windows\SYSTEM32\IEFRAME.dll+4ae5b|C:\Windows\SYSTEM32\IEFRAME.dll+4aa18 10341000x800000000000000050086Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.411{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81af9|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\SYSTEM32\IEFRAME.dll+11df18|C:\Windows\SYSTEM32\IEFRAME.dll+80202|C:\Windows\SYSTEM32\IEFRAME.dll+8287a|C:\Windows\SYSTEM32\IEFRAME.dll+873a4|C:\Windows\SYSTEM32\IEFRAME.dll+c9f1e|C:\Windows\SYSTEM32\IEFRAME.dll+84641|C:\Windows\SYSTEM32\IEFRAME.dll+7974d|C:\Windows\SYSTEM32\IEFRAME.dll+7a289|C:\Windows\SYSTEM32\IEFRAME.dll+7b7f2|C:\Windows\SYSTEM32\IEFRAME.dll+777d8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32c3d|C:\Windows\SYSTEM32\IEFRAME.dll+8201b|C:\Windows\SYSTEM32\IEFRAME.dll+4ae5b|C:\Windows\SYSTEM32\IEFRAME.dll+4aa18 10341000x800000000000000050085Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.411{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\SYSTEM32\IEFRAME.dll+11df18|C:\Windows\SYSTEM32\IEFRAME.dll+80202|C:\Windows\SYSTEM32\IEFRAME.dll+8287a|C:\Windows\SYSTEM32\IEFRAME.dll+873a4|C:\Windows\SYSTEM32\IEFRAME.dll+c9f1e|C:\Windows\SYSTEM32\IEFRAME.dll+84641|C:\Windows\SYSTEM32\IEFRAME.dll+7974d|C:\Windows\SYSTEM32\IEFRAME.dll+7a289|C:\Windows\SYSTEM32\IEFRAME.dll+7b7f2|C:\Windows\SYSTEM32\IEFRAME.dll+777d8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000050084Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.411{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81add|C:\Windows\System32\SHELL32.dll+82223|C:\Windows\System32\SHELL32.dll+82154|C:\Windows\System32\SHELL32.dll+81a02|C:\Windows\SYSTEM32\IEFRAME.dll+11df18|C:\Windows\SYSTEM32\IEFRAME.dll+80202|C:\Windows\SYSTEM32\IEFRAME.dll+8287a|C:\Windows\SYSTEM32\IEFRAME.dll+873a4|C:\Windows\SYSTEM32\IEFRAME.dll+c9f1e|C:\Windows\SYSTEM32\IEFRAME.dll+84641|C:\Windows\SYSTEM32\IEFRAME.dll+7974d|C:\Windows\SYSTEM32\IEFRAME.dll+7a289|C:\Windows\SYSTEM32\IEFRAME.dll+7b7f2|C:\Windows\SYSTEM32\IEFRAME.dll+777d8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32c3d 354300x800000000000000050083Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:15.262{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50716-false10.0.1.12-8000- 23542300x800000000000000050134Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.973{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B86E81604DEF0A675C200742F8BDBDCC,SHA256=C190A3388FFFF87B69FA441E8EE2400460A1568E493F1141FB6428E827DF0893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050133Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.973{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCD7D02DD308DCA891AAE4E08FACA5F,SHA256=37C932A092BCD2BDA00ADE9A90FFFB01616DBAD60C02B7AFAC4DB7B41712E2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050132Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.973{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47309035C78C7EDD6A8D59410936E1BC,SHA256=323199AE92FDD62A749FCEA638F1D1129B66031D8A018022F2E61928D1395444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027032Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:18.084{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCAA0DFCFE70822ABFFC88D7DDA81AB,SHA256=6C9781EFECF0D2DE3DA68707AEE72D6D3D969B1F8D2214F33CBE3861CE920842,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050131Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.161{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050130Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.161{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050129Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.161{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050128Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.161{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050127Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.161{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050126Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.130{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050125Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.130{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050124Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.130{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050123Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.130{C8F4C507-5C87-6140-B607-00000000F001}33727100C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050122Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.130{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050121Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.130{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050120Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.130{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050119Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.130{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050118Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.098{C8F4C507-4938-6140-1600-00000000F001}13241456C:\Windows\system32\svchost.exe{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050117Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.098{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050116Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:18.067{C8F4C507-64A1-6140-4A09-00000000F001}55646768C:\Windows\system32\conhost.exe{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050144Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:19.973{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDA37ADDB3DACEB5F665D084A14D408,SHA256=2ECA6D82D1CEEED7C3B06B174328A759B0119B60269E1C2775B986F781001F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027033Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:19.084{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB98C8226449B48DC26A73B9681AED00,SHA256=B96C1186A478B811EF9936511EE2786F00801492C2C6244C661DAA3E866049A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050143Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:19.661{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050142Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:19.645{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050141Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:19.645{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000050140Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.718{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50720-false204.79.197.200a-0001.a-msedge.net443https 354300x800000000000000050139Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.718{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50721-false204.79.197.200a-0001.a-msedge.net443https 354300x800000000000000050138Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.716{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51853- 354300x800000000000000050137Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.707{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50719-false93.184.220.29-80http 354300x800000000000000050136Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.673{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50718-false23.203.80.193a23-203-80-193.deploy.static.akamaitechnologies.com443https 354300x800000000000000050135Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:17.673{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50717-false23.203.80.193a23-203-80-193.deploy.static.akamaitechnologies.com443https 23542300x800000000000000050145Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:20.973{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F7573575141FCBF52744DEDA7A7A2F,SHA256=F0F07033000A3C7562206906C9C037898C33D4B4402DAF56FCDC78FE8B038118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027034Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:20.100{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F3B89557BA6F8C605918D0A4B0DC9A,SHA256=493C771826DF36B3AAD9D9B36F34372C2867E10FEC69792C20B868A12078547F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027036Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:21.178{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723D8D81FFD376EE5A808D9FBD3BA730,SHA256=D17ABCD45D577D80FF6D7146F424680289656E47A6D1305F2BDBB95B714F21F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050148Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:20.278{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50722-false10.0.1.12-8000- 354300x800000000000000050147Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:19.310{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61718- 23542300x800000000000000050146Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:21.208{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=254F4C3E5F5CC0D02A8AACDB006C7BB0,SHA256=209B11B7D7780FC3A5F769E37899099FCC72751377166DD9046B7D6433A33BCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027035Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:17.609{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027064Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64A6-6140-9A06-00000000F101}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027063Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027062Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027061Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027060Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027059Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027058Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027057Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027056Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027055Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027054Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-64A6-6140-9A06-00000000F101}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027053Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64A6-6140-9A06-00000000F101}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027052Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.866{4A7D70D7-64A6-6140-9A06-00000000F101}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027051Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.397{4A7D70D7-64A6-6140-9906-00000000F101}28322592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027050Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.209{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C6000F9A2D1C5E4C662B367C7B14EE,SHA256=6BB7228BBE1FF1EC7128D420964985B14002D526C91F603655CC050469BF1B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050149Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:22.005{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DF8D9CCA2F3EB277847259E8486727,SHA256=6D45C3E0C754E0E28C53926BBE65CB279AF029ABADE92BADB989C84D30EE00A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027049Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64A6-6140-9906-00000000F101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027048Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027047Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027046Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027045Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027044Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027043Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027042Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027041Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027040Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027039Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-64A6-6140-9906-00000000F101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027038Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.194{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64A6-6140-9906-00000000F101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027037Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.195{4A7D70D7-64A6-6140-9906-00000000F101}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027080Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027079Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027078Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64A7-6140-9B06-00000000F101}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027077Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027076Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027075Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027074Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027073Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027072Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027071Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027070Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-64A7-6140-9B06-00000000F101}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027069Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.537{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64A7-6140-9B06-00000000F101}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027068Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.538{4A7D70D7-64A7-6140-9B06-00000000F101}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027067Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.288{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1491C88E2F248D424B4E30B1A43F53D,SHA256=9C2E437BF22AB8AF23639CD51B2E3DD3592B5D00E8E00ED16D0C3AF5FB623705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050150Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:23.005{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29C4F624312721C7B6573D0B0BF3403,SHA256=536A7AEA35F7195DAFAD7DDF2DC24A824AA3F2D2192506C6C8C114E3D7141302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027066Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.194{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40C463DE9AF061D120F27700366EDB31,SHA256=EBAB65AEF7AF6DC94CF93A8B911BBD19B7C2C03AE79B1CA52110AE7888046BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027065Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:23.194{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E053161280DDF9FA620A00ABB69C932C,SHA256=C7D13ABEA57E438A3576166A467DFA6CEA7C1260ECEAE7823DCEB44311E2D509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027082Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:24.538{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40C463DE9AF061D120F27700366EDB31,SHA256=EBAB65AEF7AF6DC94CF93A8B911BBD19B7C2C03AE79B1CA52110AE7888046BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027081Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:24.365{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EECEFD5EEC12135254AE37B7893978,SHA256=83769CFF2692E37B8AD2174623AA806A6BB2C2985005356AC0B030A7D0F6385D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050151Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:24.036{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F32561DEDDFD6F5A98EF33030213987,SHA256=2488A02C21B14EABB63397BF5A31FF656C5B79A2259E6C174BE833F78347E1BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027110Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64A9-6140-9D06-00000000F101}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027109Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027108Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027107Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027106Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027105Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027104Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027103Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027102Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027101Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027100Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-64A9-6140-9D06-00000000F101}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027099Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.913{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64A9-6140-9D06-00000000F101}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027098Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.914{4A7D70D7-64A9-6140-9D06-00000000F101}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027097Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.663{4A7D70D7-64A9-6140-9C06-00000000F101}34324040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027096Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64A9-6140-9C06-00000000F101}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027095Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027094Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027093Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027092Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027091Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027090Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027089Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027088Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027087Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027086Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-64A9-6140-9C06-00000000F101}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027085Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.413{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64A9-6140-9C06-00000000F101}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027084Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.414{4A7D70D7-64A9-6140-9C06-00000000F101}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027083Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:25.366{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431B8EC086740025562A875A95DABFC3,SHA256=881D1BDC0EDB8372FA51139F822A6AA6E35B03ED4274568D95694D86781381DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050152Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:25.036{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF18BF0A645F39845A5BE71F1D8056B,SHA256=2BD60B4680EBF345652A8AECC8BBA722571DFE7926A844DEBDC8DB3829B902C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027128Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.866{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6E8B7617BC0538757574902A720A9D,SHA256=CE3539ADDAA61FC7E92F03C8740974F3DD5904A3341109C933C29DA738283D91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027127Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.569{4A7D70D7-64AA-6140-9E06-00000000F101}35284032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027126Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.491{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CD85507A0879993CFBDA20D5AC7E784,SHA256=4D05D5B604C1184893E3E0D0691156119038186F07374827C41113090DEA6413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050167Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.974{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1665D03465170B6AE304D5DE52B0175,SHA256=8D9962C06A8D1105821CEAAFDC55C9F047F35812CF9D0997CDE4796D90738654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050166Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.974{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B86E81604DEF0A675C200742F8BDBDCC,SHA256=C190A3388FFFF87B69FA441E8EE2400460A1568E493F1141FB6428E827DF0893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050165Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.724{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050164Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.724{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050163Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.693{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050162Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.255{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050161Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.255{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050160Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.255{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050159Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.255{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050158Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.255{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050157Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.255{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050156Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.255{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050155Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.255{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050154Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.239{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050153Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.052{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B17EDB3F0B0CF3A09C4DA4A47D0F63,SHA256=9977D1D0904E351C2F0ABFF0B0BB668F3C8CC8E7B6B599A45169D929BEAC825C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027125Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64AA-6140-9E06-00000000F101}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027124Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027123Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027122Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027121Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027120Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027119Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027118Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027117Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027116Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027115Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-64AA-6140-9E06-00000000F101}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027114Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.413{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64AA-6140-9E06-00000000F101}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027113Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.414{4A7D70D7-64AA-6140-9E06-00000000F101}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027112Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:22.719{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027111Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:26.147{4A7D70D7-64A9-6140-9D06-00000000F101}33203748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027142Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64AB-6140-9F06-00000000F101}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027141Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027140Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027139Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027138Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027137Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027136Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027135Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027134Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027133Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027132Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-64AB-6140-9F06-00000000F101}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027131Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.631{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64AB-6140-9F06-00000000F101}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027130Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.632{4A7D70D7-64AB-6140-9F06-00000000F101}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027129Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.506{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C805DAD4E152ECF3EDFB97C06B7F6943,SHA256=C9044B9AED6A00738E901754981A959618D063DBA7C4154498E54249400D800B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050169Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:26.278{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50723-false10.0.1.12-8000- 23542300x800000000000000050168Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:27.083{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C7C76FC6E1329710C55F4119D7D55A,SHA256=B8934D158EA809C0B177F1D6D693ECCAB8D133044E26679D81EBADF4FEEE1EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027144Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:28.647{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7348C7D6089A5CE184EE03B33C8ED5CB,SHA256=B82E53365317C27866E7839AC3250C9CAB4B705B116C727AB23FA36F28A4E99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027143Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:28.569{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81886A9BBDDDA2BE51211C10358B2E04,SHA256=4078D754A21F75DE12C570680FA2AA83DFC46921AECCED8C6B28209D0DCBDB0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050170Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:28.099{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B991FE4D98D0609A654F7708EC01A32,SHA256=19FF51BAD09D133EE4DE6D1CD24CD10E2AA12481653E3E4E4B547AEE7859F39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027145Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:29.585{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFE803EEF8EC9E84CF87AD47EAD45FC,SHA256=9CA900B026246F24D7F1E3253CB5984060257A21FBDD9066AEF1E8CFDBBA0725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050171Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:29.099{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E46F922F44C6E4A816D8DCBD40062D3,SHA256=4FD99A6D9CED9DF351099DB1E9A7CA7C47C4C58D50EBD528D1C5931794AA2E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027146Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:30.585{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0669EF098B7C01DAF2B8342EC3A5B49A,SHA256=EFCAA368C0FCFA1EDCEA90412DF710BADE68246F8A05BEDC9A8DE6B44C306A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050172Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:30.099{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A5FEDCA577A4DCF2C801CE299E9071,SHA256=7021273A4DD1607866A05A4BE3D5271741B08132832B0674B9F912EC9BA49C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027148Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:31.600{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9524298DAA06383A4F39BECC38339F4C,SHA256=F391FF89508AD9E58181EEB9FFD1E9C65FC4F416CAF806706BA737C17531C4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050174Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:31.713{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-113MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050173Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:31.130{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA83277150DC3B94D28D4399B1F1CB6C,SHA256=62526A47E79CCBF8D883C54DD507F4F0BFBE8E3769E6289782942D8640A6DF5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027147Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:27.781{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027149Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:32.616{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919944DDC0C90460129BA4312DD5B9EC,SHA256=338E5B276255467603CDE1EC091BCC5C36E3DA4DB2CFB890FE5E0D377D116467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050176Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:32.727{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050175Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:32.132{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF67A5AAC0B27446E2DF55CBBB9EA38A,SHA256=78A4C04BE214CE4A1D29C30154E3FA846B5E9A623F5D76DB16D7048D8C33B82A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027150Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:33.631{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50168DD8FB843808487FD2A28C967C7B,SHA256=2BF268EA2C236C0AD4617B6CC1D98D91C6041E6830E2CDFB40676344461121ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050188Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.790{C8F4C507-5C87-6140-B607-00000000F001}33726064C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000050187Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.790{C8F4C507-5C87-6140-B607-00000000F001}33726064C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 354300x800000000000000050186Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:32.155{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50724-false10.0.1.12-8000- 10341000x800000000000000050185Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.587{C8F4C507-5C87-6140-B607-00000000F001}33726064C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000050184Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.587{C8F4C507-5C87-6140-B607-00000000F001}33726064C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e1d|C:\Windows\System32\SHELL32.dll+283a8e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000050183Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.509{C8F4C507-4938-6140-1600-00000000F001}13241456C:\Windows\system32\svchost.exe{C8F4C507-64B1-6140-4B09-00000000F001}2240C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050182Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.509{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-64B1-6140-4B09-00000000F001}2240C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050181Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.509{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-64B1-6140-4B09-00000000F001}2240C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050180Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.493{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-64B1-6140-4B09-00000000F001}2240C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050179Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.493{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-64B1-6140-4B09-00000000F001}2240C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050178Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.493{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-64B1-6140-4B09-00000000F001}2240C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050177Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:33.162{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1BF49B61045309B6FD4A4F1A01EEBF,SHA256=5D49D6AF1618777BE070F84C368E93EC6F95AC5CA3C8BCD9607D0803B58FBFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027151Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:34.663{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD335BBFE474F98C4E8A31C4E48257C,SHA256=FCDAF55D493B1E9A698F1965A19E7EA9D64E5B8081477A0F4AE0EC8651060F2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050206Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.978{C8F4C507-64A1-6140-4A09-00000000F001}55646768C:\Windows\system32\conhost.exe{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050205Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.978{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050204Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.978{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050203Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.978{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050202Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.978{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050201Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.978{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050200Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.978{C8F4C507-64A1-6140-4909-00000000F001}1723916C:\Windows\system32\cmd.exe{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050199Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.984{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000050198Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.493{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ED209D096B3BB48E426FD992CF8F80A,SHA256=F92ADDAD99C7F9BB87543E5E154B22D385ABD1699271A68C162A00B72910E22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050197Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.493{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1665D03465170B6AE304D5DE52B0175,SHA256=8D9962C06A8D1105821CEAAFDC55C9F047F35812CF9D0997CDE4796D90738654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050196Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.212{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3776C592142F75988E829594CC103195,SHA256=457472E73AAE6885EDE8A2F4A5CA76B8D2FB501C219C790521C20614419E0F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050195Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.103{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050194Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.103{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050193Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.103{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4909-00000000F001}172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050192Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.103{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050191Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.103{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050190Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.103{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050189Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:34.103{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64A1-6140-4A09-00000000F001}5564C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027152Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:35.678{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0122D7C43B09205CC582A94786F32447,SHA256=5E42F215D3AB37058F99F71EA28FEA087B4F2E4076D49920B46C7D159B731D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050221Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:35.993{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ED209D096B3BB48E426FD992CF8F80A,SHA256=F92ADDAD99C7F9BB87543E5E154B22D385ABD1699271A68C162A00B72910E22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050220Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:35.212{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09888EDA50858DC42CE5B364904C8517,SHA256=20F46B3A49A182AE4FC42C95779E06D7D421AC1AFA3636FAF7CD014AFD2AF38E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000050219Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=934ABA2B38103D42625AC5293CB7DFE91F1C148DB74E38FF84AE961024AB3CBB 16341600x800000000000000050218Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local2021-09-14 09:00:35.071C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=934ABA2B38103D42625AC5293CB7DFE91F1C148DB74E38FF84AE961024AB3CBB 13241300x800000000000000050217Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x800000000000000050216Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000050215Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000050214Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000050213Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000050212Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000050211Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000050210Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000050209Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000050208Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000050207Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-DeleteValue2021-09-14 09:00:35.071{C8F4C507-64B2-6140-4C09-00000000F001}4956C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 23542300x800000000000000027153Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:36.756{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02190060A91FFF3F2B3877823B1B15B8,SHA256=3533DBF11098EE339F6A6051154B2F8A5F3D6EAC15252F6426B91313CE39FDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050222Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:36.228{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3E504CBD8D654B544EC22F5B13E360,SHA256=84D0E72AD47953D09663DA2A32FA2FBEA361027CA2F7A71CEC51D68FFD0E6009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027155Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:37.772{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB82AC292FA980CFD3C88FDF35B6E32,SHA256=CAC639253F41BF59D5B6BDE856B90A29A27AACC2E3CE574B0DCCE1E03FB4A0DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050224Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:37.259{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A99F2F7779A0C02CCB3C983F0F3CCA9,SHA256=93443838C0F9FBF46EC85B7CB1DECE4396F120A76CB5FD697914D9D75D551401,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027154Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:33.734{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050223Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:37.212{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027156Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:38.913{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A82E3E0E7446A56165AA2058F21D3B,SHA256=6EB4962C4DCBABF382F7FBBFED6AFE69A4DDC313E50BD0E4471D1A98C750A92C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050261Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:37.314{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50726-false10.0.1.12-8089- 354300x800000000000000050260Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:37.157{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50725-false10.0.1.12-8000- 10341000x800000000000000050259Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.603{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050258Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.603{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050257Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.587{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050256Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.587{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050255Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.587{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050254Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.556{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050253Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.556{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050252Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.525{C8F4C507-64B6-6140-4D09-00000000F001}6748896C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bad58(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bad0f(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1bacb6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a7dae(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b4bfe(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b4b4b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c130(wow64)|C:\Windows\SYSTEM32\urlmon.dll+77caa(wow64)|C:\Windows\SYSTEM32\urlmon.dll+78450(wow64)|C:\Windows\SYSTEM32\urlmon.dll+7856c(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+52e609(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+3dccc0(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+43c9c7(wow64) 23542300x800000000000000050251Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.509{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\70A7KYNV\NewErrorPageTemplate[1]MD5=CDF81E591D9CBFB47A7F97A2BCDB70B9,SHA256=204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050250Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.509{C8F4C507-64B6-6140-4D09-00000000F001}6748ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\5X0NYBOF\NewErrorPageTemplate[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050249Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.509{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050248Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.509{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050247Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.493{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\5X0NYBOF\dnserror[1]MD5=73C70B34B5F8F158D38A94B9D7766515,SHA256=3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050246Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.478{C8F4C507-64B6-6140-4D09-00000000F001}6748ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\5X0NYBOF\dnserror[2]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050245Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.431{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050244Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.415{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050243Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.415{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050242Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.415{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050241Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.400{C8F4C507-4938-6140-1600-00000000F001}13241456C:\Windows\system32\svchost.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050240Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.400{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050239Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.353{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\iertutil.dll+36ee1|C:\Windows\SYSTEM32\iertutil.dll+36a90|C:\Windows\SYSTEM32\iertutil.dll+34cbc|C:\Windows\SYSTEM32\iertutil.dll+3506f|C:\Windows\SYSTEM32\iertutil.dll+48188|C:\Windows\SYSTEM32\IEFRAME.dll+c6000|C:\Windows\SYSTEM32\IEFRAME.dll+c61f9|C:\Windows\SYSTEM32\IEFRAME.dll+83804|C:\Windows\SYSTEM32\IEFRAME.dll+323f9f|C:\Windows\SYSTEM32\IEFRAME.dll+3121df|C:\Windows\SYSTEM32\IEFRAME.dll+312573|C:\Windows\SYSTEM32\IEFRAME.dll+3bda4f|C:\Windows\SYSTEM32\IEFRAME.dll+1a9827|C:\Windows\SYSTEM32\IEFRAME.dll+c48e3|C:\Windows\SYSTEM32\IEFRAME.dll+cc498|C:\Windows\SYSTEM32\IEFRAME.dll+cdd6d|C:\Windows\SYSTEM32\IEFRAME.dll+79e9f|C:\Windows\SYSTEM32\IEFRAME.dll+7b7f2|C:\Windows\SYSTEM32\IEFRAME.dll+777d8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32c3d 10341000x800000000000000050238Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.353{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050237Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.353{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050236Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.353{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050235Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.353{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050234Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.353{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050233Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.337{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+2702c|C:\Windows\SYSTEM32\iertutil.dll+28123|C:\Windows\SYSTEM32\iertutil.dll+36a21|C:\Windows\SYSTEM32\iertutil.dll+34cbc|C:\Windows\SYSTEM32\iertutil.dll+3506f|C:\Windows\SYSTEM32\iertutil.dll+48188|C:\Windows\SYSTEM32\IEFRAME.dll+c6000|C:\Windows\SYSTEM32\IEFRAME.dll+c61f9|C:\Windows\SYSTEM32\IEFRAME.dll+83804|C:\Windows\SYSTEM32\IEFRAME.dll+323f9f|C:\Windows\SYSTEM32\IEFRAME.dll+3121df|C:\Windows\SYSTEM32\IEFRAME.dll+312573|C:\Windows\SYSTEM32\IEFRAME.dll+3bda4f|C:\Windows\SYSTEM32\IEFRAME.dll+1a9827|C:\Windows\SYSTEM32\IEFRAME.dll+c48e3|C:\Windows\SYSTEM32\IEFRAME.dll+cc498|C:\Windows\SYSTEM32\IEFRAME.dll+cdd6d|C:\Windows\SYSTEM32\IEFRAME.dll+79e9f|C:\Windows\SYSTEM32\IEFRAME.dll+7b7f2|C:\Windows\SYSTEM32\IEFRAME.dll+777d8 154100x800000000000000050232Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.352{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6388 CREDAT:148482 /prefetch:2C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=7D930D55986DF5C69CF1A9C2DE7E33B3,SHA256=BEBB0D2229700C6A62B7811985061DC75F6279AB0FF8747C47CCADB6CC2CC462,IMPHASH=E7542C041AAD637F8E6918BBE235A488{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=528884 10341000x800000000000000050231Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.337{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050230Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.337{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050229Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.337{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050228Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.290{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A556FE3DFADBDC55D1669FDEFFEAE410,SHA256=884C8A9ED0D19CB9839840800E36837B99E2DA62C1AF5F80E1AF7259EFB137B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050227Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.212{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050226Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.212{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050225Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:38.212{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050263Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:39.681{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976055F9CA2DD733D0F4105444D574E6,SHA256=2237FCA00509E3DA4EAC331E668B258AC6839D8791370A22CA1DB0D994256EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050262Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:39.681{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFBFFB639EAB3F11528A492FE166A32F,SHA256=0A12DB75ACF7CE4F4A9193801FF0A960EFE8B292B20AA6D9AA469B8D8C0948A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050274Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.681{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC895F501467D891822B4C0FCBFFEA5,SHA256=22B246E09E282D323C1B8D9E6DAC0BBE06910D197FE273DB8CEA0D1A60708260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027157Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:40.053{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC61B4C1C03F9A5C2730D8805118C57,SHA256=175C59F45B147F3710F68358003690512D341589A62B9357025AAF1C3130B562,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050273Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.447{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050272Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.447{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050271Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.431{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050270Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.431{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050269Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.431{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050268Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.415{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050267Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.400{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050266Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.400{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050265Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.400{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050264Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:40.400{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050277Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:41.900{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90C0CA6B3242FF8B5D8F8FB760274C1,SHA256=E2BEF05E58DA9D4C69DAFB19A625234262727092E954888C4DBEF12F2A0175CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027158Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:41.069{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCED582F6726EA3337AED9E7C2F6B9CB,SHA256=374A2BBC5A816B72E1C3769590E4B09FAEF969DA66A442BAFC7481A587D09722,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050276Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:41.415{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050275Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:41.415{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050293Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.993{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DF903F7CCEA2EB0A9E.TMPMD5=4C9B2F9E05826DA8F8CB45B7430C509F,SHA256=68A6616DD27E50D8180EFA6A9D443F8DB75D0E332F16F9DE6D8E1C82D84FF56B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050292Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.978{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\imagestore\2p6opy5\imagestore.datMD5=D3A3B1F4AF2D38F4B8345D225DDB16F4,SHA256=F3215E7BAB6148E100D198D7CFDD9F2CF0F1BEFD7BD679DB50B76E44096967A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050291Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.946{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\15GO14PM\known_providers_download_v1[1].xmlMD5=002D5646771D31D1E7C57990CC020150,SHA256=1E2E25BF730FF20C89D57AA38F7F34BE7690820E8279B20127D0014DD27B743F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050290Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.931{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AB01C3088B2ABC1F9CFA42ABDAD2E4,SHA256=FD2F0C75568697561CB62FB7C10BEBC7591DBEA900874598BE0754E84AA4197F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027161Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:42.808{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-103MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027160Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:39.781{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027159Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:42.100{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B91B78B6D06A81F5F0CA96D8330AA0,SHA256=B5A18028F7BBCA1D50A0137AC75832FFEC77ED773996348ED005EAEBC26D0CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050289Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.868{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFB5398F4A7D259955.TMPMD5=F89A6B30CF1922235E23EACCE140F0BD,SHA256=7E2DB0B04B5B1A306A9EF5ED8C68A5269A63953023BC9C0ED4B583B46231B6C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050288Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.868{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-6499-6140-4709-00000000F001}4396C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\IEFRAME.dll+cc1cc|C:\Windows\SYSTEM32\IEFRAME.dll+7abef|C:\Windows\SYSTEM32\IEFRAME.dll+7b8e6|C:\Windows\SYSTEM32\IEFRAME.dll+777d8|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+8200c|C:\Windows\SYSTEM32\IEFRAME.dll+4ae5b|C:\Windows\SYSTEM32\IEFRAME.dll+4aa18|C:\Windows\SYSTEM32\IEFRAME.dll+4a920|C:\Windows\SYSTEM32\IEFRAME.dll+4601d|C:\Windows\SYSTEM32\IEFRAME.dll+2a7a26|C:\Windows\SYSTEM32\IEFRAME.dll+152a14|C:\Windows\SYSTEM32\IEFRAME.dll+d9b81|C:\Windows\SYSTEM32\IEFRAME.dll+152a9f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050287Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.759{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DF758F09F344E7925B.TMPMD5=44F42A01BB30BE35D32AE117B2F669D6,SHA256=71C8FB98C63BFEC92586098875492FBCFD008426E27228161B17302EADCB725C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050286Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.759{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFCAE923E59CECEA56.TMPMD5=A5DEE9DD4760A897A628997942621BB3,SHA256=789B26299DF13AD914D2A8A5A87CD486962C11B0A0E1A0F911E8B0207264CA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050285Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.759{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DFA1474235FDC551F8.TMPMD5=57BE92B52D4B6205D3CEF0E616258A24,SHA256=9FBA11B1522D090B80D3B0ABAD3DFFED323A0B90693C7C3632B579B1899AFD32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050284Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.743{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+32707|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050283Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.743{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+32707|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050282Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.743{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+32707|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050281Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.743{C8F4C507-6498-6140-4609-00000000F001}63885472C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\shcore.dll+32707|C:\Windows\SYSTEM32\IEFRAME.dll+c1764|C:\Windows\SYSTEM32\IEFRAME.dll+c155d|C:\Windows\SYSTEM32\IEFRAME.dll+c1232|C:\Windows\SYSTEM32\IEFRAME.dll+c0b27|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050280Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.634{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050279Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.634{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050278Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.634{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-64B6-6140-4D09-00000000F001}6748C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050295Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:43.931{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09A20CE9D8AA5C85E944902725E5AC3,SHA256=49B10252F00D818507E145F953D3A43646722E239E8C5B0D1CF47C217AB8915C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027163Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:43.817{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027162Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:43.238{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DB5A6DDC6DC36D39C393F5A3DAC40F,SHA256=36388E2D3487D49EDF85D1DDDC15DB96AC04BDD102E552CA361C06BF0F799270,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050294Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:43.900{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-4934-6140-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000050305Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.962{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF8528B4479737E8B4DFA120E969B00,SHA256=5838305511CC2D69F0A720D3C68F591819616CBAA5D1F92DA829D88E99FC109E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027164Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:44.333{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738DBB6FD85B891FF71B3D9D7769D101,SHA256=E1575068058C78DEA803AC36EC28808F1FD2D30963AE9FF2CF325DE7D927429A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050304Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.931{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050303Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.931{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050302Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.931{C8F4C507-5C87-6140-B607-00000000F001}33724168C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050301Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.915{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050300Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.915{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050299Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.915{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050298Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.915{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050297Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.806{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E62ACDF9D578C63A24ADA2655E66E01,SHA256=823C2C1A5E059C106604807649010E60579C4B955ACA843D96B3F63279455C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050296Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.806{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4684468E2022DCDF4C0D4251897EFF9,SHA256=811DBD94D5240BE0EA14D0D78EA264E2A9C74AF2BB67DB40046751226D307C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050313Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:45.966{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDCA6D4B23ED4FEFE7C923FB9052A0A,SHA256=70F7D5A012572BC98FF1002A901088DDFE844D3859765DB53DB99930639A6C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027165Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:45.357{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079012D37368B552D352412AC0AA08D4,SHA256=83E5077E1EE800C5FE14C84C9F2B56B13830587B6A80D4290D3036664FD52C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050312Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.021{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50730-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 354300x800000000000000050311Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:44.021{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50730-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 354300x800000000000000050310Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:43.919{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-158.attackrange.local50729-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000050309Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:43.919{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50729-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000050308Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:43.911{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50728-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000050307Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:43.911{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50728-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000050306Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:42.161{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50727-false10.0.1.12-8000- 23542300x800000000000000050314Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:46.981{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9D410DDABF2B2EAC5C0F37DC652611,SHA256=EF132F78F72D563E65D7FCE75D63B4D30051CBCD0E2B7366DD83B4AB04DC50EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027166Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:46.591{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7276772A4D3BAF4DC91DF0CBE7519578,SHA256=C57D652128BE3EF05707923CB81659265C6414E79F14DBA6A3CE2A8F3A1880F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027167Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:47.607{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06493FD20330084F4F9F3952F8187C0D,SHA256=2EBC258D96CD2B3F547673F0545209A01017D8CF471FD2E1F6EBDF939DCF3BC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050325Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.872{C8F4C507-64BF-6140-4E09-00000000F001}22362260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050324Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.684{C8F4C507-64BF-6140-4E09-00000000F001}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050323Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.684{C8F4C507-64BF-6140-4E09-00000000F001}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050322Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.684{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64BF-6140-4E09-00000000F001}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050321Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.684{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050320Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.684{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050319Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.684{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050318Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.684{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050317Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.684{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-64BF-6140-4E09-00000000F001}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050316Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.684{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64BF-6140-4E09-00000000F001}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050315Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.544{C8F4C507-64BF-6140-4E09-00000000F001}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027169Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:45.741{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027168Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:48.638{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0239D855FF2EEACE536A742B18318FA1,SHA256=9C13B7A21062A62A25B96CD500625514F502112F2076959913EAA02365808797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050338Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:47.223{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50731-false10.0.1.12-8000- 23542300x800000000000000050337Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.638{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E62ACDF9D578C63A24ADA2655E66E01,SHA256=823C2C1A5E059C106604807649010E60579C4B955ACA843D96B3F63279455C8F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000050336Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.497{C8F4C507-64C0-6140-4F09-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050335Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.497{C8F4C507-64C0-6140-4F09-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050334Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.497{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64C0-6140-4F09-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050333Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.497{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050332Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.497{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050331Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.497{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050330Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.497{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050329Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.497{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-64C0-6140-4F09-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050328Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.497{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64C0-6140-4F09-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050327Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.357{C8F4C507-64C0-6140-4F09-00000000F001}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050326Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:48.044{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8541731D31E01A360BB5EB9185F50B89,SHA256=6E7BB0C5BA4CE6B0926A2AACA61AA83638DFD32DADA2A5717A484417E9C8DEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027170Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:49.685{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C4D9C0BDD057DD88B621D3060CC476,SHA256=882110F3A33D38144A8A3AE454AFE16C97F93BF1A7C83756971A0D55065BFC57,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000050349Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.216{C8F4C507-64C1-6140-5009-00000000F001}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050348Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.216{C8F4C507-64C1-6140-5009-00000000F001}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050347Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.216{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64C1-6140-5009-00000000F001}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050346Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.216{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050345Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.216{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050344Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.216{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050343Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.216{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050342Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.216{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-64C1-6140-5009-00000000F001}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050341Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.216{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64C1-6140-5009-00000000F001}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050340Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.076{C8F4C507-64C1-6140-5009-00000000F001}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050339Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:49.044{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2252ABF37CEAB0BCF297ECBB98CA8E43,SHA256=68698DD1F3F3F2DB4DEAA949DBE6E7E7D5F7304EFBBA440886C9D1B59F1912E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027171Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:50.779{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0E1BD3E40C01D29A164D83CE346F35,SHA256=25E81AAC8C9324BF78B1A89F07B896E0EF54952E4FAD3701448487757BF5800E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050351Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:50.106{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E236CE90C8142D36384D388DE5E5942C,SHA256=5FD487116852B2F2D20CFD1575661B1E230441AEE296DBAC9443A774ADA2B78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050350Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:50.075{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4982C12FF088305BDD61733CA507040,SHA256=AEF6E7C727EF8DAE0E280670C42F821B0ECA411E9A250F7D1E737748EF8B2898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027172Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:51.795{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA29514E473C058C466B664B5DD4C1F,SHA256=DAFE24D5CD6CBB87576BF22575ABE3EFDFD8E211B916C7F385A17EAE6379663B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050367Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:50.770{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50732-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000050366Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:50.770{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50732-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 23542300x800000000000000050365Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.731{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1142C2FB6500D2989F75892C12BCEE39,SHA256=AF63BED76E40B09BE7D075E9B50B9D767A16EDA43C02F9AF8AD81A1F133E7522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050364Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.544{C8F4C507-64C3-6140-5109-00000000F001}64405672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050363Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.466{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1100-00000000F001}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050362Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-64C3-6140-5109-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050361Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-64C3-6140-5109-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050360Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64C3-6140-5109-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050359Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050358Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050357Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050356Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050355Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-64C3-6140-5109-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050354Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64C3-6140-5109-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050353Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.341{C8F4C507-64C3-6140-5109-00000000F001}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050352Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:51.137{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C2831EC3C1062F6C11C457B704C169,SHA256=EA991BEDF980F4CEED0C54D8687CC28BD8175E047664DFE0FEDA8B41281BD06B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027173Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:52.826{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4543F8041DCFF3074DF245AD83D229E5,SHA256=5240BCD056BD6FEDE5AE03AA01EA7858D23066F4DD0039C27F753FC0E904439F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050379Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.653{C8F4C507-64C4-6140-5209-00000000F001}62284652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050378Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.481{C8F4C507-64C4-6140-5209-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050377Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.481{C8F4C507-64C4-6140-5209-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050376Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.481{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64C4-6140-5209-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050375Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.481{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050374Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.481{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050373Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.481{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050372Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.481{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050371Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.481{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-64C4-6140-5209-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050370Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.481{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64C4-6140-5209-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050369Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.482{C8F4C507-64C4-6140-5209-00000000F001}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050368Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:52.153{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46955413B81B2D8D71A27295B00C6F5A,SHA256=7544078093ABA2302BD5D4FB54C8F8F51159D623FECABD6692B5AF28963D8387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027174Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:53.841{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D53AB8B394CB9C9FFC48E76A38569D,SHA256=290AF76F5B71ABC44CF23E768EE25A5B66781D5675BD7FFA795A5FD19E5BCC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050392Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.497{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0688B2CFF2C9967BF0EE255974C13BA4,SHA256=05EB3BE7269634B22BEDB42D776B3F2BF239B0F46F3562E7026CA36F90AF5B47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050391Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.356{C8F4C507-64C5-6140-5309-00000000F001}62684056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050390Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.169{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91273663F9434F99C6CC03FAC90CC29F,SHA256=CD532D129E7DA98FCBAB7C4B1E6C7DE4E4138FA573BF2C311135BD51C78D7CD0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000050389Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.153{C8F4C507-64C5-6140-5309-00000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050388Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.153{C8F4C507-64C5-6140-5309-00000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050387Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.153{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64C5-6140-5309-00000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050386Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.153{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050385Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.153{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050384Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.153{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050383Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.153{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050382Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.153{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-64C5-6140-5309-00000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050381Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.153{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64C5-6140-5309-00000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050380Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.154{C8F4C507-64C5-6140-5309-00000000F001}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027175Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:54.857{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB881D33B20D0132F0D1A54C954612EF,SHA256=EB7CE0372FD4028ED472E1094CAEA6956D78B9F77209A01910CA590E0297E8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050404Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.919{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47A618B6083250F1D9607B9053513D09,SHA256=B399D758A1D859B0A166678C1A71DEF75B6D6A0B0EED84955C4E29950D10DBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050403Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.169{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49933BB3094E8D2ECD0116BFA6A7D448,SHA256=AFF60CCD44B04A590546EEF664D959CF2A9440CCBF3E5EF1EEDEC97147106729,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000050402Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.012{C8F4C507-64C5-6140-5409-00000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050401Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.012{C8F4C507-64C5-6140-5409-00000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050400Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.012{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64C5-6140-5409-00000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050399Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.012{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050398Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.012{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050397Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.012{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050396Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.012{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050395Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.012{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-64C5-6140-5409-00000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050394Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:54.012{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64C5-6140-5409-00000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050393Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.826{C8F4C507-64C5-6140-5409-00000000F001}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027177Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:55.873{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE6E8F7D56DD4488EE2C42DFCDB2BA9,SHA256=F63B9EE7E08B8902AA143994A76A78BF9AE9D5188006E29B833CABCABC847574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050406Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:55.200{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A35E3D92E9F7CF52732137C7B129C65,SHA256=4D9361D90670D3EB9F1A01BB9296C7120C55EC4B7BBABA280708AD904A7224C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027176Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:51.757{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000050405Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:53.239{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50733-false10.0.1.12-8000- 23542300x800000000000000027178Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:56.888{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4DB0D91EF62EC741BD5EB0ECCC0369B,SHA256=1ED5E9BCF328CB83484583CCBCD117D529DE207AEEC1B802BE9CD8421B575E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050407Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:56.247{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45895A7D51E8104C63E5ED7BE9EAC84,SHA256=3193B246576926D88CC02506326449E87CCAEC4817F123ED7D0C15C7A30B371F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027179Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:57.935{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE923DEDDAC2F62B4936EBCFCD76CCA,SHA256=45FC3976B3C8FBB344972871C977EDC002B11B0F6D02610AFDFFF40D30A00C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050408Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:57.325{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFFC16B06B18FE4BF51231A97801049,SHA256=0A78D9C3FF17C8C2B07795FF0F84C5615428AAC234768DCD969CC5CA738C2830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027180Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:58.966{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F840632F96009FADB89269C108F3F941,SHA256=CB2F648DAACA33C209C1BE08EBCFBEFDFFAC9A232C6B927B813F84B945D29319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050409Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:58.341{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB62A4B4A7DEC256B4C90103263F215,SHA256=AF02D679DABDF753986140B5410B12C688CA39AF2FA417E6EE2D0FD976072933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050410Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:59.356{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A464E5B5242EE4CF7B6F6A23E5AEF49D,SHA256=B98D3685BF8317625DBF0D0A8A66583387E11179EF2EAC23AC176CD67F86BAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050411Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:00.356{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D242B2BCEF8C26679A1748003EFAF7,SHA256=AD40D94F8B50BEC45B351F785399E1DB316292F003065833E892E80EEC03B408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027181Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:00.013{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3791E993658AADE4A1241DFFB009D5A,SHA256=E22E732B10B4578C5890009003AC09DFD4A99439A50CF53A5E3B23C11BCE3756,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050413Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:00:59.208{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50734-false10.0.1.12-8000- 23542300x800000000000000050412Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:01.403{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE0B8CB25AD5E2E41BCB503791F5186,SHA256=99330AABBE2860BCED0011248F9B8B21B2680F63E176A7B1E8E2BD0985FF15BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027183Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:00:57.788{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027182Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:01.029{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C1F09499758B28B2C26CADDEE57906,SHA256=7FDD77EAC633E405A15BBCD3A9C73C6FF69409FCE54220D264F6B706CAA8A9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050414Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:02.403{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC587559C5585C036E6ACF47C107435,SHA256=3F2D88B53DF49B5655173DD68CFDFED89439E89D2256FA4EB19A19F874AFC46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027185Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:02.670{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=777040C3FA573BB54822996F38978CDE,SHA256=B9A700AD9DA9974FBD00150A193FF6BB409E16D4CF7E3B4EEC924630EAEDF8C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027184Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:02.045{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CF28EE1F07FD6B7A1FB50952ED0879,SHA256=770785511B396E0FA0BEC8DB9C564D9DCC3D02B506E2A59839421E435312D80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050415Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:03.419{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D0597B627EDF651A3B84FD299B1203,SHA256=D4C75DE1FC9FD212AFEEFAE63FE5DAF42714278F139C379944E521024C9D06BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027186Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:03.091{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C4D009CE6991F84F4ED5526AE5EA71,SHA256=FB35992686577075051810376940CB8CD9FF8C42A4B89D5E67609BC1434D99D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050416Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:04.450{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2254833651309A5868E72E09B7B6EE64,SHA256=B2197D282B00903A0070E9CAC42607E4BB5498AE20B50F0CFEB40AD1A87E3EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027187Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:04.123{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E11C2C53416BEF3C1062097F1B7A35,SHA256=D3F7EC446E1694BF2AE3D32062ABD675C152205F887B7E05C12B1F0D3E2F0821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050417Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:05.457{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062A99ECFEC1A4874B379628EFD41F66,SHA256=6C623B9403666BBAD3693FDB6100A103262F52E97629ED6DA5B4E82F59DE6730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027191Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:05.130{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E3682B9F4FE1ACFBF5128904ECAB34,SHA256=7E5A68B30A23201B16FD0DC9F36A143D4D2BD25C4F3A58ABF5876A34BB7D650B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027190Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:05.037{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027189Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:05.037{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027188Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:05.037{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB8-6140-1600-00000000F101}1168C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050419Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:06.504{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6ADDBC218F2D065F3E64907B4F8E6AB,SHA256=27314355D484A6C7AC86A56EB059B88E755F866068FAF5FD38D6039646AA0E46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050418Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:04.348{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50735-false10.0.1.12-8000- 23542300x800000000000000027192Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:06.162{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559697A6DE31F772C3C3BAD6C35403C5,SHA256=378A33B7539412FF8A75767EF9372C18E21CB58EE9DC9780B6FBEF62C49F3512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050420Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:07.582{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD00D781773F60354B6A85CF32650FB0,SHA256=16C2984B60F0AC6794DFE7456A2F5FC8F3B0A1DE2B4C0C340090BC8D5199BA8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027194Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:03.749{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027193Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:07.380{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A5248432FF98E0FD546D4EBCD9A09E,SHA256=B094D15395CD87C379893C4B583C8BF3CC805C81AAEB645EE07875DBB743B1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027195Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:08.396{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D98177EE2A4E3882A593C63C53DC299,SHA256=A709EC7CA0EFB2FCF98339C1DB3A967D6C6E03F108E8B5F6E2B13613B294CC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050470Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.676{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010001D.logMD5=94B98844CAD72C1BF5AD4E711396A41C,SHA256=9E483F5BD47A391A51046D24D2651F61F1C05D6939A5DF63E3FFB02A338664D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050469Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.676{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010001C.logMD5=F65B07E2EF8907BDB24A968A9CBD7C43,SHA256=FC8CF623B7CA3E5D71906E1D4E3FD4FC220C57608EE6D4BE71D52576AEB693A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050468Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.660{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010001B.logMD5=C0C1EDFAF47190135D6B7CB079279546,SHA256=A42AFF2F25283007F57B7A8C59221D061F0FA9F7B859C61A6D8AE678946B4C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050467Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.660{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010001A.logMD5=6119DE269A0C83683BEB666C829EB66D,SHA256=20173C146C0475D12E6853C319259B8FE5AD33EDBDAED142523F59E9F1597A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050466Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.660{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100019.logMD5=BA8A95316C29CF3FF9AD358E3234BF8B,SHA256=30E83550350FD6E6AF3240F4FC817F45827F5FD15D0323F5B060CBD2C0331131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050465Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.645{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100018.logMD5=0073D36FC28E2CA120BD96BBE92FC62B,SHA256=EC3E5DD96C0E6B3D9B6E61F87154667011BBAD6C14E1CE5FB74EA1FEF8F2AF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050464Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.645{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100017.logMD5=B0014168D14EA7C18369E5E82EC0C6C7,SHA256=DDFBD1FA1D3503D9DAC0511BA6CE239E669E436414B836B16179685223F7DEAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050463Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.629{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100016.logMD5=A48C79887ADDA8DA139E79E485F3CBA3,SHA256=837CE96465E2A4F1C11535CEEF05A77C8E975CD8C4114D0C5562A3D75ABC02E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050462Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.629{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100015.logMD5=1ABFA9997F6133604B5B5657636CB0BD,SHA256=9BF0388225F0C44206E69DE2E32C29AD420D0CA991421EF5FF227825E2D9EB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050461Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.614{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100014.logMD5=BD3EE9268E722FBBF61C0FD764371155,SHA256=132B989A721FCF5C31C7D7349BB14499C9EB88428E8087F24BFDF20252CEA3F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050460Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.551{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-64D4-6140-5709-00000000F001}5712C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050459Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.551{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-64D4-6140-5709-00000000F001}5712C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050458Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.551{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100011.logMD5=A50420649475812396E4C2217E791062,SHA256=F622845FD0B887087E5EA5E0FA7DED0E4691B3B501185B43E55C4FD1296A814A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050457Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.535{C8F4C507-4938-6140-1600-00000000F001}13241456C:\Windows\system32\svchost.exe{C8F4C507-64D4-6140-5709-00000000F001}5712C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050456Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.535{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-64D4-6140-5709-00000000F001}5712C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050455Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.535{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\5X0NYBOF\dnserror[2]MD5=73C70B34B5F8F158D38A94B9D7766515,SHA256=3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050454Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.535{C8F4C507-5C86-6140-AF07-00000000F001}1332ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\5X0NYBOF\NewErrorPageTemplate[1]MD5=CDF81E591D9CBFB47A7F97A2BCDB70B9,SHA256=204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050453Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.520{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-64D4-6140-5509-00000000F001}6024C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050452Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.520{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-64D4-6140-5509-00000000F001}6024C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050451Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.504{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-64D4-6140-5609-00000000F001}6716C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050450Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.504{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-64D4-6140-5609-00000000F001}6716C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050449Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.504{C8F4C507-4938-6140-1600-00000000F001}13241456C:\Windows\system32\svchost.exe{C8F4C507-64D4-6140-5509-00000000F001}6024C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050448Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.504{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-64D4-6140-5509-00000000F001}6024C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050447Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.489{C8F4C507-4938-6140-1600-00000000F001}13241456C:\Windows\system32\svchost.exe{C8F4C507-64D4-6140-5609-00000000F001}6716C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050446Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.489{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-64D4-6140-5609-00000000F001}6716C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050445Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.379{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050444Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.379{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050443Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.379{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050442Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.379{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050441Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-64D4-6140-5709-00000000F001}5712C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050440Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050439Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-64D4-6140-5709-00000000F001}5712C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+2702c|C:\Windows\SYSTEM32\iertutil.dll+28123|C:\Windows\SYSTEM32\iertutil.dll+27e92|C:\Windows\SYSTEM32\IEFRAME.dll+4587e7|C:\Windows\SYSTEM32\IEFRAME.dll+45859e|C:\Windows\SYSTEM32\IEFRAME.dll+1b07a0|C:\Windows\SYSTEM32\IEFRAME.dll+4610c|C:\Windows\SYSTEM32\IEFRAME.dll+2a7a26|C:\Windows\SYSTEM32\IEFRAME.dll+152a14|C:\Windows\SYSTEM32\IEFRAME.dll+d9b81|C:\Windows\SYSTEM32\IEFRAME.dll+152a9f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050438Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050437Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.376{C8F4C507-64D4-6140-5709-00000000F001}5712C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=528884 10341000x800000000000000050436Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050435Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050434Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-64D4-6140-5609-00000000F001}6716C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050433Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-64D4-6140-5609-00000000F001}6716C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+2702c|C:\Windows\SYSTEM32\iertutil.dll+28123|C:\Windows\SYSTEM32\iertutil.dll+27e92|C:\Windows\SYSTEM32\IEFRAME.dll+4587e7|C:\Windows\SYSTEM32\IEFRAME.dll+458582|C:\Windows\SYSTEM32\IEFRAME.dll+1b07a0|C:\Windows\SYSTEM32\IEFRAME.dll+4610c|C:\Windows\SYSTEM32\IEFRAME.dll+2a7a26|C:\Windows\SYSTEM32\IEFRAME.dll+152a14|C:\Windows\SYSTEM32\IEFRAME.dll+d9b81|C:\Windows\SYSTEM32\IEFRAME.dll+152a9f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050432Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.375{C8F4C507-64D4-6140-5609-00000000F001}6716C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=528884 10341000x800000000000000050431Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-64D4-6140-5509-00000000F001}6024C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050430Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050429Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050428Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050427Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050426Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-6498-6140-4609-00000000F001}63885800C:\Program Files\Internet Explorer\iexplore.exe{C8F4C507-64D4-6140-5509-00000000F001}6024C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+2702c|C:\Windows\SYSTEM32\iertutil.dll+28123|C:\Windows\SYSTEM32\iertutil.dll+27e92|C:\Windows\SYSTEM32\IEFRAME.dll+4587e7|C:\Windows\SYSTEM32\IEFRAME.dll+458562|C:\Windows\SYSTEM32\IEFRAME.dll+1b07a0|C:\Windows\SYSTEM32\IEFRAME.dll+4610c|C:\Windows\SYSTEM32\IEFRAME.dll+2a7a26|C:\Windows\SYSTEM32\IEFRAME.dll+152a14|C:\Windows\SYSTEM32\IEFRAME.dll+d9b81|C:\Windows\SYSTEM32\IEFRAME.dll+152a9f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050425Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.370{C8F4C507-64D4-6140-5509-00000000F001}6024C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8388616 WinX:0 WinY:0 IEFrame:0000000000000000C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2LowMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{C8F4C507-6498-6140-4609-00000000F001}6388C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=528884 23542300x800000000000000050424Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{28BA9412-153A-11EC-AB28-02E184E3B4A8}.datMD5=49FEFE9CFF20E08EE1E3A61CEE1752B5,SHA256=1376C23EF7F79A3C4F112BD8D36FFDADDA4C29F05053535C1BE720AA4EB2EAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050423Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DF254E874B370377CC.TMPMD5=324428AD33C3036C3DAE14EC014E2309,SHA256=7D7FFDE60A59DC311AC3F2249B54D8F968DCE6A47A09E09A11A78BE227879BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050422Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3A612B5E-153A-11EC-AB28-02E184E3B4A8}.datMD5=59910D9A83D22EB000037446186B38E7,SHA256=DE5780673A533C7E219B941C3B01053D1F57778914E40C186C4B3CC958D8C243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050421Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:08.364{C8F4C507-6498-6140-4609-00000000F001}6388ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{28BA9414-153A-11EC-AB28-02E184E3B4A8}.datMD5=488C6F78C971826767E2847367C65EFB,SHA256=B40B207B8BF31AC148B66BCA4DC27437BB51E235940A8424A70D6B6BD690EEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027196Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:09.474{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9DF32141A2D30064952CC478921F1C,SHA256=C9EE3335E5A21FFB436D6CB403CEC2DAE7930A90AFFD0FD87A6225ECDBE7D11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050476Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:09.645{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928EFB0E336C829906370AFC1BAEC7A1,SHA256=3BE8A3F94A2479D6C064514F78BB37DE4138AC9AD4F3B7BEC6D6FEFD1B073C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050475Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:09.629{C8F4C507-5C87-6140-B607-00000000F001}33724264C:\Windows\Explorer.EXE{C8F4C507-64D4-6140-5509-00000000F001}6024C:\Windows\system32\rundll32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8033A46E8A8)|UNKNOWN(FFFFB464B6EA5B68)|UNKNOWN(FFFFB464B6EA5CE7)|UNKNOWN(FFFFB464B6EA0371)|UNKNOWN(FFFFB464B6EA1D3A)|UNKNOWN(FFFFB464B6E9FFF6)|UNKNOWN(FFFFF8033A186103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000050474Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:09.629{C8F4C507-5C87-6140-B607-00000000F001}33724264C:\Windows\Explorer.EXE{C8F4C507-64D4-6140-5509-00000000F001}6024C:\Windows\system32\rundll32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8033A46E8A8)|UNKNOWN(FFFFB464B6EA5B68)|UNKNOWN(FFFFB464B6EA5CE7)|UNKNOWN(FFFFB464B6EA0371)|UNKNOWN(FFFFB464B6EA1D3A)|UNKNOWN(FFFFB464B6E9FFF6)|UNKNOWN(FFFFF8033A186103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050473Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:09.473{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD0D3F1FCBBDE2EF15B18349E9F1E34,SHA256=3780E7AAE8EBEE6229BC0922562DEF0EDBD406D416BADE7D15128212EDE12571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050472Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:09.473{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09EF1D6AD228FDFB0BBC79C020818774,SHA256=95D0878AD14DE215B471669FFCF8AAD4DC1AFC2BF4176DBC3AC9ABBC92120E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050471Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:09.098{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1AF789FA10D82F56DA7370D1D61655,SHA256=B1ED70434AEAE4841700D46BF8B60B0BFA04187426A35C14075FA53F9B4AA78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050477Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:10.660{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F0B6CD025E2EC4E4D86962A1C69B3C,SHA256=45BC28C903590C85D8A61C2421159E6526C340FD965B0B5E3F5BBACD75AC25A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027197Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:10.677{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4209A3E05FD13CEBEF2A8123E756282D,SHA256=4318E6CEE12123CDA173395B79FD57290D5517E0C1AC218F8D82328DE4390E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050479Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:11.692{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079C3B3EB5902E63942D589DDD921743,SHA256=A97D2EB070AA2ED9C65BC5AFE6795C376D695FB677910700B39E4A4D122E230F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050478Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:10.315{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50736-false10.0.1.12-8000- 23542300x800000000000000027199Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:11.802{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027198Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:11.740{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCBA0127C68EC8E53F596D6474E9EFF,SHA256=79670FA5693A08C272B54AE4C04D21987975B1C44BAFFBE7DA927C38DBB90482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050480Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:12.723{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FEA03F8B3A2B6FF752A3EE1AF69FAF,SHA256=C3967DBDD86F36236B87FF318C6C05CAF235989017FB1484060409BFCF2B8CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027201Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:12.771{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154D3D0990201C04300D6D11F4DB90FB,SHA256=878ACE907B5C03492BEC4FFD67C1761825CE7B138BC72A4C7632A72BD9CEDCA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027200Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:08.764{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050481Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:13.739{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2BAAC3351319A734577082D6FCC6C2,SHA256=B2854E8F56E64CB9A7ED3935C5986482B9F842182795318733C743A03340257B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027203Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:13.787{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02648A787FA1D330D4E67D644522BCB0,SHA256=72466D74281C0FA4AD00579047193862BA8ABA7D65AFE7F82A504327F95F13DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027202Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:10.342{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000027204Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:14.834{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6748DDC23924B5B517795DED37982D81,SHA256=E74E5D5BAC88D7683E2133FD92D1F2415C0B1DE3211CD1CC2DC0B88CFB6DA658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050482Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:14.879{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044C358A85F5CE838106C3EEED33424F,SHA256=158FC3D63069EBD33196774611904FA424CECB8309C3E6EF337E261C42CB9E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050483Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:15.895{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC60A591EE98A4330C59A4C0BEF60AE,SHA256=17916D795780B50266A9981FCA2794E1848655875AB9DA58D70F04A40635E257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027205Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:15.849{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4432206BFF68159E1602DE53DFBEDD69,SHA256=955086515D2935745241B81311C2FB1434A6245A871736081C27A2CC1F1800B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050484Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:16.926{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F9FE7A7391521022C77928879215A7,SHA256=12F92E036BB2078EBEB57F11A28D554CB9D526B476CA402097918336096FD9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027206Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:16.912{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05848106AE5FD7036546EFADD48ED6F1,SHA256=93E19C56344A5D3D18A21322A9DC8A848216F4D3A7004362D6E5C0083A40FA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027208Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:17.927{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7675DFF5F84C6475B8A27E967D55B662,SHA256=8AACC26F261AE22DAEF7DA1367886189D4E8970E632C1A46DC371BC915962D47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050485Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:16.324{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50737-false10.0.1.12-8000- 354300x800000000000000027207Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:14.764{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027209Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:18.943{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1D2560A18BC3436E2575CCD52AF485,SHA256=711B5CB5583499A7E08E7070CBCF3F3DFA8A5062DD93A1C5504F9663A8BFCC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050486Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:18.004{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025A6EE8EA03819F17518DC4E8379798,SHA256=C3BF17A5194DE3466A89B6C3C4045D1EDA81D302DC1B5E337D28FDEAE3BF34CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050487Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:19.067{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41F357CED8344871CAD1146F5EA6FA0,SHA256=5AD5E05359B6BF555C9E14D3FFAB53047D5788B3CFC8CD63C8768D662E2EE8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027210Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:20.037{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B95AD32D1C9E04769AB534B005851F,SHA256=E18CF3218EB88E6EE4573ECA70965CB4C87BA6A8106B4D390315ACC01B94DB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050488Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:20.114{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D78B8CB4B18CAD8052FDD3C1231BB2,SHA256=7E47048176232D39BB61350C21E49C0A9CCC274E44574270EA544B1CC809B140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050490Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:21.223{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=55FE15FFE9A071812C327F9775308B59,SHA256=AD0284417C37B2EB567AD6F70656D3DEDBC6BF7FBCE98869E31111A0FF5299F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050489Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:21.129{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CEFA99E8FA952C81C7A32C10296D1D7,SHA256=D1B6EF72F7C5FB8F87A5F422DB8AA3A420C76C614DD46770FFEBB7983A635E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027211Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:21.068{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD9494BF22CB36A0AB271C8C3EBB67E,SHA256=764564F7C3C762A4182DA51C52BE437EA3201B4E0BB636C6A07268BA3C7268A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050491Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:22.129{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BF4571886AA2C40FFEC8108AFD5041,SHA256=BC6E10F580036B8C17D4FC32088494255B7EEB8CBE1EC1324FC75E2976F601D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027239Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64E2-6140-A106-00000000F101}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027238Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027237Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027236Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027235Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027234Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027233Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027232Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027231Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027230Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027229Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-64E2-6140-A106-00000000F101}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027228Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.630{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64E2-6140-A106-00000000F101}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027227Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.631{4A7D70D7-64E2-6140-A106-00000000F101}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027226Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.412{4A7D70D7-64E2-6140-A006-00000000F101}29562892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027225Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64E2-6140-A006-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027224Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027223Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027222Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027221Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027220Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027219Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027218Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027217Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027216Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027215Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-64E2-6140-A006-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027214Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.130{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64E2-6140-A006-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027213Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.131{4A7D70D7-64E2-6140-A006-00000000F101}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027212Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:22.083{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374690587DF770819C7BD014D9CB3B65,SHA256=AC64B0D055F5D23F3C8A78C92BB0EB7C623571E5740C7EDB92352A19F338B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050492Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:23.160{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC910050A350EF62ABF1709A0FBBDA72,SHA256=471304F7C49F1E5FC38BC28D684BC426CA9A7ED86FE37A7E31F6631108D1D5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027255Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.256{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B79902C8A726E5153C2C5AEBFB060FA,SHA256=CF752E7BB0AAA1EB0C13AF3994A5B7C26A53C31738FDDBD051E9323A6DADF6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027254Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.256{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=688E64AF6485E6A398705E9DCD6C5669,SHA256=095FE6A42A7D26CC0CED955D7706434A027EE41155111343D1BDC46DB4E60415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027253Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.256{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96DE7B0AB545C5324B1EBF9ED0F11B5,SHA256=1B1239D0B4E109E8E9AFF55F9A49C3DEAED2F09904D245561A26FDE978C74953,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027252Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64E3-6140-A206-00000000F101}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027251Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027250Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027249Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027248Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027247Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027246Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027245Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027244Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027243Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027242Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-64E3-6140-A206-00000000F101}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027241Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.130{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64E3-6140-A206-00000000F101}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027240Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:23.131{4A7D70D7-64E3-6140-A206-00000000F101}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027257Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:20.717{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027256Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:24.146{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD19015C3464E05BB71A6A0BAB4F8BD,SHA256=1B0E21A1043E0BB6F8C3FBE5B942484546FA6959D72A3E6E5D562BEF24A1581B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050494Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:24.207{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9861DCFC1F9F6DA8925DACF1E407D164,SHA256=F665070C0075F5D5B99704BD05D6FB7CBF4D427448B2027C42672678C13C40D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050493Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:22.215{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50738-false10.0.1.12-8000- 23542300x800000000000000050495Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:25.213{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2828A8E07FC10BB72545DD92DE866246,SHA256=A94B0C81626DE5382FB69FFA71BC476D18B73F724928A88B5D4381DE34D37852,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027285Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64E5-6140-A406-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027284Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027283Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027282Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027281Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027280Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027279Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027278Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027277Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027276Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027275Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-64E5-6140-A406-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027274Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.917{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64E5-6140-A406-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027273Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.918{4A7D70D7-64E5-6140-A406-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027272Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.667{4A7D70D7-64E5-6140-A306-00000000F101}15601100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027271Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64E5-6140-A306-00000000F101}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027270Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027269Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027268Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027267Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027266Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027265Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027264Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027263Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027262Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027261Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-64E5-6140-A306-00000000F101}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027260Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.417{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64E5-6140-A306-00000000F101}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027259Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.418{4A7D70D7-64E5-6140-A306-00000000F101}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027258Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.151{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C166E4AD9DEBDF7FE9177CF7BC17D09,SHA256=0E0738770FE5CC8BD9EC7E13FE1002E7DE95A10F959F5128F7DB2EBB055CBECC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027302Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.792{4A7D70D7-64E6-6140-A506-00000000F101}37401216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027301Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64E6-6140-A506-00000000F101}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027300Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027299Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027298Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027297Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027296Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027295Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027294Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027293Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027292Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027291Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-64E6-6140-A506-00000000F101}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027290Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.573{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64E6-6140-A506-00000000F101}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027289Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.574{4A7D70D7-64E6-6140-A506-00000000F101}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027288Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.526{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B79902C8A726E5153C2C5AEBFB060FA,SHA256=CF752E7BB0AAA1EB0C13AF3994A5B7C26A53C31738FDDBD051E9323A6DADF6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027287Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.214{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0FB28DD1B9D4A9267E2B2526462B84,SHA256=69418D8D7C0CFD2E3016258B6F3B19324C821FEF0966939E120BEBEBF3BDE015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050496Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:26.213{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB27545BE1B17C7ED7993D3D0B19386C,SHA256=52618B805CC46788652B5E9AD2FECF90A2F214ABE1922C21C4953D67498E56B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027286Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:26.120{4A7D70D7-64E5-6140-A406-00000000F101}24922992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050497Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:27.244{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE1081DE45E2C066E4090A7C899421F,SHA256=7A5D9B6C73B3807EF9AD16B6FAB837B19097E792872571B6E16EE982FE53FF48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027317Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-64E7-6140-A606-00000000F101}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027316Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027315Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027314Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027313Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027312Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027311Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027310Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027309Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027308Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027307Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-64E7-6140-A606-00000000F101}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027306Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.651{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-64E7-6140-A606-00000000F101}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027305Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.653{4A7D70D7-64E7-6140-A606-00000000F101}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027304Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.573{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8C5B5E084BD1B123269B94F96C58317,SHA256=02D270228EB14FC8230FD6BBFEAAF185699B6DBEEF0B100DD8CFA57EAAB0D104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027303Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:27.308{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3463BA1355C3F625209E99264528F4,SHA256=739DA1DDB63663F1139A7E8F47C175EBA9763688B3695784DA40A0962FF9BC3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027320Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:25.801{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027319Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:28.667{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=147ED7F779A60AB61367A305755665E5,SHA256=D0346FE02942F0513910F7D46121699B391A00C90C4E7C80EBCAF4380460B958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027318Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:28.323{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6D4D9609F8B77769549B50786B97E6,SHA256=A258AE33E4294C060FDACE583B82800FDCD8F7BDE5D5CCFE70055869DADA5D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050498Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:28.259{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606C6E9C26FE115CE9388BF861B96E15,SHA256=D367BCCDA9689E490B1654EDF0762F32B8E96CC2E261D416749B36A2E3C8E8B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027321Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:29.339{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8757813FA589FD168AD6359777A45DFA,SHA256=C17C2B4CC6B3D99D644E74A8D535C619C3AC6982382423D517DE2BF9B47F36AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050500Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:27.314{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50739-false10.0.1.12-8000- 23542300x800000000000000050499Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:29.259{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA058BD05C9C3425127F163336866F46,SHA256=DAF4A60058E64308F049462A11A15307CBD6B08488D762FFBA2BDA886C6D8CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027322Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:30.354{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBED218CC42A070354F4DF2DC8DE90CE,SHA256=B0AA8091656AAD2396BC630A1D5D7FDCCC1A93B82954DDF26CCDA477F4DFBB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050501Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:30.291{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A220637F55C533566D15C1DC78AFEB98,SHA256=6765AE970B1C073C8806868885C445D4DF8BA02A55C0EA1AC2934643F4DCC7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027323Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:31.370{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7DEE0103F588AE96D7AD0DD82FC045,SHA256=7213E712BD1D5DFEBD22CB3FF3256E677A99F5D17CFFE1837634EBE9B0E36E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050502Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:31.338{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696629C1B22DA3CD000D56833AB079D4,SHA256=F5A9F34A8D928559349F49CE5DF09E6CAB06CD70ED76D0AAA5230FD8AD2B9AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027324Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:32.370{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2AE0636413AC3E2F91BBA3014A4FFE,SHA256=627E3A507AEDEB6480D970D952C87A5CA83801ACDB3FCB8E3602553265B8D5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050503Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:32.353{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B67E1F9CECDB7F311FE27721144BC26,SHA256=EAFC774127AE1F45D495A1B083A19F63D5EC3FB657E582B34F32AB3CFBB9B41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027325Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:33.386{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3157288B8C64B77882D859920CB5A577,SHA256=46579318473964486AFB202ACB5AB221DB9EF5F23C8ED49CFF5389A6B67A5F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050505Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:33.354{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E044ADF576BE26AAED90BE094864FCE2,SHA256=A8D2BA481839D27FE47B988EEBDFE84FEAAE7956BAE09CA882436B06EC68FDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050504Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:33.247{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-114MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027327Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:31.769{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027326Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:34.401{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECE4FDA0746B7A52A0DD8E23EF55A98,SHA256=266C74B08FFF6F88D603C1AD5B92C22F656DE1732AAEA9BDFC06464BB2B64BE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050508Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:33.315{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50740-false10.0.1.12-8000- 23542300x800000000000000050507Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:34.400{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2F5A2874BEDA9C69F03D952C772D00,SHA256=24C7451D50683E2E9F8CE2E8E908F649AD0F516DE7389687E55866D25A49FA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050506Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:34.262{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027328Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:35.433{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69BFF5FC87A4DBE16405A45DE3897C0,SHA256=EE2D4B31FD9F10B49062BE26EF7BC08C9EEFAFB58EB8BC784803CEEF8A49514F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050509Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:35.403{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FAED2C77B96929C7EFBBBC3D35CF1DC,SHA256=0965D242B9D2D57DE427FB4644E0B3AB3E547B3F880ED26D29663F48F18EA6EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027329Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:36.448{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2CE4BA3C812CD261A2D9AF9CA20ACF,SHA256=85264F1361BC0E7FE8472B412342E5FE8D5961E3C328D89C85704E22FDDDD77C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050510Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:36.418{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20928B505A3B0FC1855D9D4269A98B78,SHA256=D7348BAE4FC2D0EEEC8130D6FA4264ECC79E4363B97417185EECCD0FF913540E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027330Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:37.464{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EAA5A633F848638E7F8CE652E20C0F,SHA256=483B53DB779BF26B176D5473B7541CCBCBC7E39792A7CDB253EBA2CCCA6D40A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050512Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:37.434{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A033FDC2DD26FDAA117D4DF3B88A8ECE,SHA256=583BD4CC7081D496A14CEEA083F5ACA2B9BEABAB148B93185323045F7D91E5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050511Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:37.231{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027331Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:38.682{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFEA23A970C643FD9CC43B80D3D7B6A,SHA256=DFCC690B427D20857477AD6025EB74D5CCC01B6D4E862DA6CC74FA3CA79F65F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050514Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:38.481{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C8B715E6590FD5181B7F4F0ADC2ED1,SHA256=7D44CDF4DBB659000FF977F3B1563780EE95BD828F8AC74E44C0605EE20CB155,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050513Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:37.333{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50741-false10.0.1.12-8089- 23542300x800000000000000027332Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:39.917{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FF9605B42CD14FFADF8234BFE6C825,SHA256=9E4AD44C38E33547585A1A3FEFA9DD3E3D4741E76099D21CF64323A5140EBEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050517Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:39.778{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F8BD88AB3A538CDCC4C2B1C8F3BE7A0,SHA256=68AEF1AAEC7EAD53460DC45BDBAB18FA668E057365728EB1C6B234EE201FC79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050516Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:39.778{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD0D3F1FCBBDE2EF15B18349E9F1E34,SHA256=3780E7AAE8EBEE6229BC0922562DEF0EDBD406D416BADE7D15128212EDE12571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050515Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:39.497{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABB453FDBD9ECC5A63382C396E09AB2,SHA256=A7575744F61101610B8497D8F76CC4379F3B7726B5844EEC45CF9AA84324F0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050519Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:40.528{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8856518345559F1F932DA737523E9FFE,SHA256=CDE1A2E67627CB2ACEE7C30CB404F0B890B048F3A86617C47A07CBF3D19870A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050518Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:39.176{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50742-false10.0.1.12-8000- 23542300x800000000000000050520Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:41.559{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A179DF00B114F9BE0DC5C83E05197BE,SHA256=3DE5F9768CA3708BEF70CF948A54DDF4724E6873EFCD86A69CC2144E66091B07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027334Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:37.597{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51039-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027333Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:41.151{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C62F49F0231036B892D9D62D5F09E7,SHA256=A08B56FAB220EB5C03EDD210A385474D4B9D089091E0752F8E6BDD47E959395A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050523Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:42.575{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2AEE7458F0E899F62EEE9B218942D9,SHA256=05E7BC01E1FC32CC7526254AA067CA0895B6FE490CC35BD030EDF12C225F312C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050522Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:41.133{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-158.attackrange.local138netbios-dgm 354300x800000000000000050521Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:41.133{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-158.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000027335Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:42.370{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2366B7E849DD63813F14FB8EEE705B15,SHA256=9CF3FE20D3A3FDA0B44F0177A98B7E7B12BC83BC30858FBE0ACC57ED561795C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050527Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:43.747{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-5C86-6140-AD07-00000000F001}4252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050526Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:43.747{C8F4C507-4938-6140-0D00-00000000F001}9043476C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050525Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:43.747{C8F4C507-4938-6140-0D00-00000000F001}9046464C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050524Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:43.575{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A83BA4637A28D6B5A8A63CFBDE07CF,SHA256=AD2DA023D3E4588409D3812C3522BB3F1132064D5E72428F7A2D7439D6EB9F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027336Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:43.464{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04026E0CD5BA743E81A9E9B906B86C9A,SHA256=8275DFBF108BA868B0E8FDE851860C191066F7AEE237F346626E05F8280E0036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050528Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:44.606{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806B72EAAECC818EEEC336EA07AE0161,SHA256=3FAFF213C8C94AD231F8860C89A5867596AE3A219B477BF714964DD640022EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027338Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:44.496{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80F79A7F893591EB647F90545EC8ADB,SHA256=AD7E4EB9FBBA795367DEA90E714C1E2859D9B4A0DA6B17FB51CAC07310F8CB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027337Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:44.342{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-104MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050530Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:44.207{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50743-false10.0.1.12-8000- 23542300x800000000000000050529Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:45.607{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F50A83A172AD869BEEF085D35134C4,SHA256=E8FD9C7BBC040B9BF544E7F2DF88D3C9AACA30CB6504C1AF0E4FE6C2D4D08E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027340Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:45.512{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DA00F301CAF689FD94236DA2516307,SHA256=B9B52CB46DCB6EC93C44153348AFBCD3920EEC4FA88AFACA99EE176A81E6951F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027339Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:45.344{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050531Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:46.638{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C4499DC531A2713D595323656643F3,SHA256=31E86846C7CD5CA8BAB2EEA9D283A645E53173AED1ACA48976D6C13FBFD56AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027341Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:46.515{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29FC0F05B16C6ED2A2D212275AEC101,SHA256=1DC9969DE8224118DED583DD53C2DBF634797DB5387490544C4FEBE7ACF89EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050542Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.655{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA53767037B9FC8936F17B4768EA7510,SHA256=F109877A167A6F3D3071CCF1D43E9C0709EB6A7699283FD6BCD159E9195A608C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027343Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:47.531{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C798AACE14E2476F6750173AFE7B08D2,SHA256=038063E7EE64133CA8C92040C74CCB62902B41345B2B3591043A85A9E99BCB86,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000050541Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.592{C8F4C507-64FB-6140-5809-00000000F001}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050540Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.592{C8F4C507-64FB-6140-5809-00000000F001}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050539Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.592{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64FB-6140-5809-00000000F001}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050538Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.560{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050537Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.560{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050536Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.560{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050535Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.560{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050534Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.560{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-64FB-6140-5809-00000000F001}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050533Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.560{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64FB-6140-5809-00000000F001}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050532Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:47.561{C8F4C507-64FB-6140-5809-00000000F001}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027342Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:43.601{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000050566Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.920{C8F4C507-64FC-6140-5A09-00000000F001}50601960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050565Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.748{C8F4C507-64FC-6140-5A09-00000000F001}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050564Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.748{C8F4C507-64FC-6140-5A09-00000000F001}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050563Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.748{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64FC-6140-5A09-00000000F001}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050562Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.748{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050561Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.748{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050560Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.748{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050559Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.748{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050558Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.748{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-64FC-6140-5A09-00000000F001}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050557Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.748{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64FC-6140-5A09-00000000F001}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050556Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.749{C8F4C507-64FC-6140-5A09-00000000F001}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050555Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.670{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F381D27B3F87EF430E477058E2A6A0A1,SHA256=99BE9CF941AD73CDA8C57B31825A15B22FBE008A339933F54AADDFA9E434CFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050554Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.670{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C342056DE5C6DE2E13D86292296255E9,SHA256=7D4C2F02F81E8FD0F305929564800F4EEBA14681327F224819DFF226DECCD7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050553Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.670{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F8BD88AB3A538CDCC4C2B1C8F3BE7A0,SHA256=68AEF1AAEC7EAD53460DC45BDBAB18FA668E057365728EB1C6B234EE201FC79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027344Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:48.546{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091A86B33E550A0EC1CCFD3EFB8E3D3D,SHA256=9141DCFC169EA2B028DCF0CC6FC9E67B080ECD13F4F77FAF1683EDA50465C137,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000050552Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.060{C8F4C507-64FC-6140-5909-00000000F001}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050551Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.060{C8F4C507-64FC-6140-5909-00000000F001}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050550Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.060{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64FC-6140-5909-00000000F001}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050549Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.060{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050548Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.060{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050547Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.060{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050546Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.060{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050545Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.060{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-64FC-6140-5909-00000000F001}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050544Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.060{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64FC-6140-5909-00000000F001}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050543Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:48.061{C8F4C507-64FC-6140-5909-00000000F001}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050569Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:49.763{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C342056DE5C6DE2E13D86292296255E9,SHA256=7D4C2F02F81E8FD0F305929564800F4EEBA14681327F224819DFF226DECCD7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050568Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:49.670{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F4F4D79CFBF591D66D76BA5D3BBFCF,SHA256=B1728EEA6F0AC6D3E579A7D94957D9BB1CF317D8F43CF3CAACA70384255AB048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050567Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:49.670{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A1C42C8EF55FCAAF3C1533102B7297,SHA256=6C9EABECA35EC18D9C32E974791A87430A52E35F183D946D9B8A12A440A8EE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027345Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:49.562{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202472A7FD9CA5772CA0A80E92835697,SHA256=AC83DD9947F2C5B9176CEB3849746D7B3672947A0DCCC1CA9B1E6989877EC0DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050571Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:49.383{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50744-false10.0.1.12-8000- 23542300x800000000000000050570Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:50.763{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8AD6FF628EF0B3C56A3EAA2AF8D71F,SHA256=B150CDC3536488EC1D2E1A87E6D700F559FB70226A72278F6F8BF2ACBE704200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027346Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:50.577{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B8571BA53FA5184A6A61FD2BDFE012,SHA256=495D410F8090AE6015726EF9C13AC38280426E1F4C361A94AE9576BA760ACC5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050586Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:50.787{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50745-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000050585Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:50.787{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50745-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 23542300x800000000000000050584Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.779{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F17D4D60B09E4098040F7E275867F7,SHA256=E81440BBBF0CE5ACBD225207616609D3E079BE3A4877E4F47E4B9F86AD6948A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027347Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:51.593{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355392B77B42D12BD4C8D863A5A0AC3E,SHA256=1FF0EA0EB90843B200F5BF5C57631EA9EF9E2981432731F0D2A2133317300EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050583Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.732{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1EC70FAE6175ABF1EF106A5CF6669C7,SHA256=B1544DC5AEDE3D6CE114F735B274DF5CC3B2BA75A8ACDDD69B95477C4E3A282E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050582Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.576{C8F4C507-64FF-6140-5B09-00000000F001}53006392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050581Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-64FF-6140-5B09-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050580Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-64FF-6140-5B09-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050579Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-64FF-6140-5B09-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050578Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050577Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050576Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050575Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050574Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-64FF-6140-5B09-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050573Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-64FF-6140-5B09-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050572Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:51.342{C8F4C507-64FF-6140-5B09-00000000F001}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050598Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.779{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200054E127D1F80F27D70AAC5EF9FC43,SHA256=8AA814CC784809C8884C9167DA0A1B7A901202D6BFF6BB48F21DE2DB7B12351F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027349Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:52.609{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CA7E0E0812F403E7128D4A947156F3,SHA256=FBAE4EE50508A5608DE272268011CFA16291B688F1FC00C9BE54A3BCB66128CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050597Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.654{C8F4C507-6500-6140-5C09-00000000F001}31806728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050596Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.498{C8F4C507-6500-6140-5C09-00000000F001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050595Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.498{C8F4C507-6500-6140-5C09-00000000F001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050594Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.498{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6500-6140-5C09-00000000F001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050593Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.498{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050592Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.498{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050591Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.498{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050590Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.498{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050589Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.498{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6500-6140-5C09-00000000F001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050588Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.498{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6500-6140-5C09-00000000F001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050587Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:52.499{C8F4C507-6500-6140-5C09-00000000F001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027348Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:48.617{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027350Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:53.624{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9CA37DDDA367EC9E82DB2B7631F0B9,SHA256=CC92542FEC9B21F0C0E2FD53B0E5811B36E95194693A3F1694996413FB358E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050622Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.779{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6431B27E80BFCBD8065AAAB20FD9442E,SHA256=6791E9D9EDB775D533F1E4ADA2D31B4D76B023BA27F247F0710D597958F7B83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050621Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.779{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9AD19F3570F181A7DE0AFC9EA8E0ED,SHA256=7E5F3E87B2CA742E4E2BD1E3AB877A204B00525DF9304D17D19A6BBE581DF130,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000050620Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.763{C8F4C507-6501-6140-5E09-00000000F001}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050619Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.763{C8F4C507-6501-6140-5E09-00000000F001}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050618Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.763{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6501-6140-5E09-00000000F001}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050617Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.763{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050616Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.763{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050615Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.763{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050614Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.763{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050613Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.763{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6501-6140-5E09-00000000F001}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050612Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.763{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6501-6140-5E09-00000000F001}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050611Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.764{C8F4C507-6501-6140-5E09-00000000F001}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050610Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.732{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DF27A9E9EE8F7A4F3B53B0296BBD98E,SHA256=DF29D00D82708722B0CB2E2588C292283F0973E2CE9336A98BC68B61651521E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050609Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.392{C8F4C507-6501-6140-5D09-00000000F001}63524724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050608Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.092{C8F4C507-6501-6140-5D09-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000050607Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.092{C8F4C507-6501-6140-5D09-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000050606Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.092{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6501-6140-5D09-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050605Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.092{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050604Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.092{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050603Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.092{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050602Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.092{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050601Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.092{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6501-6140-5D09-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050600Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.092{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6501-6140-5D09-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050599Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:53.093{C8F4C507-6501-6140-5D09-00000000F001}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000050625Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:54.810{C8F4C507-4938-6140-0D00-00000000F001}9043476C:\Windows\system32\svchost.exe{C8F4C507-4937-6140-0C00-00000000F001}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050624Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:54.795{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E113FD50871BDBA61703BF2876C109,SHA256=7AA2927BF4F9E36BA1997E677558FBD2AE745BC72178EA817C6B795B7C81859D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050623Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:54.795{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CDD1F57B91D3BE4B876E4B4D64C23A4,SHA256=CB6F363DB58340926A27C77E832A893DA609EB8A3CF02F2D8FE5F79C0A45B0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027351Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:54.640{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5C41AD4AFAE8BE0B4256ACDDBE368E,SHA256=55D48FA265A7DF95DE56AD350BC86AA529D8301B474C162CE5CE72EC144F8BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050626Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:55.795{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02A06C9027F425EEACB4F8B19A92223,SHA256=F4EEAB5C1974C1E2F719D285AE7450BCEBD513FDF1D0309DB1410689F29DFD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027352Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:55.656{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758607DF8924327FB1CC696B085C22A2,SHA256=0D069A2EC14BB3F8C2AC18EE6F86D6DE1CEC929A02D94D4936EEC3F103987950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050627Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:56.873{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620D85F8BBE4C988B67AC37FE878C01E,SHA256=917D3A6442ADED6C203E88F101CBF072BFBFC8AE1A193E27A6C187842088F22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027353Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:56.656{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D24BD5BF4F9E674E6897EE99C3DD659,SHA256=B8216BB99BE15BB3B336525F5547F46642DAD67FEB3B20EAA3FE9CDC4EA717B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050629Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:57.904{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D179316900F89619B771DF39DF5D129C,SHA256=48BD8DD07C5A4A92B478BF0D10986B2D998CF322DBEE0839B2B99932B786CC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027354Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:57.671{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3294235CA0911A920606A45BCEF51E4D,SHA256=F48EB6D11F6D4CA2160FCEB504F54CB4BE7158124F7CCCB0B417DF110CDB3DF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050628Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:55.130{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50746-false10.0.1.12-8000- 23542300x800000000000000050630Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:58.904{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07ACDCDD9794938CC3B5DE39561B804B,SHA256=CC99C35A6BE89894334BBDBFE0EBD53EFA120ADA199217AEB171FAFF6CC5DB67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027356Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:54.648{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027355Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:58.687{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814B1348460CA26F398F482A508A8422,SHA256=5747AD6EB78884B2D36FDCC208B972AA0F1A05E22BEC0ED4C9DC6B2EC37E2827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050631Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:01:59.920{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D77BCC8A9FAA5B930EC8839C6E5162C,SHA256=11C4C8825C4829BB8A3BD78B4D750DD46BD81D3181AC18A564097640B74EEB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027357Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:01:59.702{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61A988AD1959A944E286160AF87F7BB,SHA256=F4B8EC12FBCEAF189C0213466D1BF6D7DEB2BB75DBD644990212436CBF16FB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050632Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:00.920{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93D97A54B56C5DC0CC8DA328AC15AA9,SHA256=50D698F275608CBDD83BBB576295A4E54F11F36CA55435526DE454ECEF273094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027358Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:00.718{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D02763383E3EF7DF1DB85A23E8AE523,SHA256=0082D70635348DE91F00D3CD6B7DF81AC1BA6186827954BF563BD6AFE4BE7D88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050634Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:00.302{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50747-false10.0.1.12-8000- 23542300x800000000000000050633Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:01.935{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E32FD95CE71F3BEE7D203F373F14B1E,SHA256=592DBA468FB19ED798F8348EB3A55CBAF6A3F70C0961ADA26BAADE1A90D55F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027359Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:01.718{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B54F2224AD3D4E15B8950F3A388372,SHA256=3EC04436DFE88BBA582EA1E8ACB8AF77C137C729C498C15BB53FEF90AA3735F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050635Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:02.967{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47033F902CB5B2FCD4743EBCFB497713,SHA256=BCD29D61E98458AF5DA95BEEDDE1246339786AF13F8EADA3DC6318B4E7B24F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027361Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:02.734{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC5F031BB548D8533BF443ACA8938E3,SHA256=8B43C66EA94CD75321221FC8FB13C1379E8EF542A70C1FAD1AF702E0245F62D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027360Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:02.671{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=19FF1687C6E0311991B1F7653873F848,SHA256=D9A53D9D9D421FDD42D65D1AA57DB32CD434B3DB555FA35428EE5D50C89FE0A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027373Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:00.633{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027372Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:03.749{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677AE83880AD8FA83511DD73D25FB8CE,SHA256=8FF47437492EEFFE930A6762AD5D35AA6F190E359751756F8129D35319D0D7FD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027371Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000027370Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0062f64a) 13241300x800000000000000027369Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93e-0xcd558b1b) 13241300x800000000000000027368Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a947-0x2f19f31b) 13241300x800000000000000027367Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94f-0x90de5b1b) 13241300x800000000000000027366Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000027365Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0062f64a) 13241300x800000000000000027364Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93e-0xcd558b1b) 13241300x800000000000000027363Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a947-0x2f19f31b) 13241300x800000000000000027362Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:02:03.296{4A7D70D7-4BB7-6140-0B00-00000000F101}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94f-0x90de5b1b) 23542300x800000000000000027374Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:04.765{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284A83AA5281D7A0FB30F19D8D00B261,SHA256=D38A4F6487B77F5394D9A63F9717C66AC248A5CCDE3E190BCDB9D90C3B0635B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050636Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:04.013{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671DE165619532ADE284728F7713216A,SHA256=BB9DD29F92321D0899DA76E1258EB147136A50743A226EBDA4D7E6B2B57C4F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027375Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:05.779{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A90570DF6D72AFE85A601594B6BA67F,SHA256=0E98B3A52F415A8FCF8E98A597F962A1DC6B67D45CCBB8290F95574148068B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050637Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:05.013{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDF36B69BC04279ABEB9ECEF6D90C8B,SHA256=F3B34279E55BC81FF6B1A4B9DFDE1BA46F397A7119B91FA523481045622A8697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027378Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:06.779{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8177D578CB70BEBA861C85007DF481A8,SHA256=891404B56BA09F994C109991F3F4B5B2E338FC990B0B5DAA032E3160ADE229B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050638Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:06.028{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C1DECEA377AB099FF35565A343BA5C,SHA256=96FB7B6F49CD32C0E6D9FF6B3ADF14F6B798DB63A91B8A8F81C2F766CB872DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027377Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:06.185{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9F0FA30AF707C1F5BF4A6A73A7F44C6E,SHA256=3EE96194A31D47B05FDF154A0326DF8E98FC2A1643DF39EFA6FDB1116776C337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027376Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:06.185{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5171D1A4096A1C8DEAC77EA06F6FB40,SHA256=248811211DEF0832A9EA61509EACA22230425841DB457C6CD968C31601AB6378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027379Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:07.795{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D74F486E4123CE07DF933DC832C953,SHA256=6E6BA8C61189042F3EA99EDB849152F9AA2A924668BF72DE04F5A2FC9CEAB6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050639Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:07.044{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BDCCA6315C00E0290DCBD5EF2900EB,SHA256=4CC7ED875FDB73A3B245CAE5AFEFE7596EF6F62598A4B93548F058509AEA4445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027380Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:08.810{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB92A6A9A615EF8C477DF5F1B7AEFF0,SHA256=7772B223B3C8CC6AA3F9A8AB5D8D97BB3C110BE9B8B17F5C353B1CAFF5E47170,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050641Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:06.208{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50748-false10.0.1.12-8000- 23542300x800000000000000050640Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:08.044{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52419F1326C3F0ED98505C86EBBD8E71,SHA256=A1D9804FE344B7CD555A9FA68ABE6925B5B28DC3008F549A97EDBBF1104D2FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027381Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:09.810{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96317894626CFBF2FBCA442FB88D6DED,SHA256=7A8C190EF6CE4967E07E84EB7F907C30DD239179FCE3EE072CAC4BCBCC13C6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050642Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:09.060{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9649900BCE264862C43EA8CD6DD94E6,SHA256=F23A7014344EBFFE8504404694DDE80E2CD28E750147420A93780F058E2E3B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027383Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:10.810{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101CED8DE2703D29BB48641FFCB11BA4,SHA256=2E1ED39597ABD7D9338DCCBC3B085D32A9BDAB8EF86266CC607E729FFC924D54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050672Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050671Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050670Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050669Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050668Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050667Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050666Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050665Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050664Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050663Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050662Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050661Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050660Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050659Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050658Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050657Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050656Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050655Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050654Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050653Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050652Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050651Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050650Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050649Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050648Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050647Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050646Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050645Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050644Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.325{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050643Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:10.075{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A9CF6628B7F3E00F2630288CE309B2,SHA256=48ACC92B7CFAB91F5B156A4318E44CB90C72E51B2AE6AD19FB5C8BBB90A6CE84,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027382Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:05.678{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027385Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:11.826{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027384Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:11.826{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0907D7E38AC96491993B07B9DA53047B,SHA256=7DC6653516308B897F6C785B3C8C7D4F009A69ACBEE0C5410A393C68C9C0A5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050673Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:11.544{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE4CB52DE92D4168B3CC57892E29989,SHA256=220A7EDB8E9CFD18AAB79C5EBDF332610AA3C55841C2839BC3F6F99D7871EE07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027387Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:10.366{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000027386Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:12.842{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269A0B85F39EF9C3CB0C7B97CF5233B3,SHA256=02784D6021634AD9FFB30C2A3F6CA515DE88F6DEF8B0C01891CF843B81EBDFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050674Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:12.544{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCC19957011C91F8B0E2E21FD54057D,SHA256=071F7A939BBD00FE187D15A272A5885262B853C23FDEAD30DF2D464B224B524C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050676Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:13.575{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8099D192138F54D0721D6FFFB612E82,SHA256=921DBC112745226E6E80BE2CC3BA9590EBC04B9A83EB50AB4BC28C46528C8090,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050675Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:11.380{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50749-false10.0.1.12-8000- 23542300x800000000000000027388Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:13.857{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044E0BB716D406EBE4EA8C42371A8734,SHA256=C891852C9F9F4A457B4575B69790E76A953EF3FEE44C0395BEE2E3299AA6B1D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050677Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:14.606{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5383797F60E686E523DEE728763F3524,SHA256=E6656FF704D7D46CC461A61E4FEA0EA9EA31E560E505564A5BA72FA61AA0C1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027390Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:14.873{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0686F8ADF0396DC1C32105F9316ABED,SHA256=B90D7A8CCB2634A7F9C996FB6A1BAAFA770BC83E504B550858B181F6150AE188,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027389Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:10.788{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027391Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:15.888{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD166E34A0FA36EE252FA9C85465EBC,SHA256=2D2B126B89469F6CC02C22E0C304C2DC90C3FD97168E55DDED7C9BC5D4F7A314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050678Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:15.606{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFAF5486C8E74A5E19C749FBEBDE929,SHA256=88E7BDB2D8BE421FD05EBA53CDBC34DE447388C428D877285E3425134A9D835B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027392Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:16.904{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C80E9ADDCFA53E901C8B4229A7DC10F,SHA256=7E446E26D35BE4C86320D1B4FB764FFFDCB6BF69D533BDFC9C7579846ED0D121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050679Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:16.606{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C8234D3486858441B6FB6E500A98BA,SHA256=7CDB7D33A4D9F3F64D03DD9389E232BCE921A145E2A10E975C0BD776D2F6F2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050680Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:17.638{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A19AEB15E0565237FEAE2C069504E02,SHA256=E91BFBC31824D64B04FF1B7FF5FF2E59E86D2B6529353BC33C41C55D566F48F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027393Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:17.920{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38046F7F3C28C418C9D0808B21B1484F,SHA256=D3BE4322849583E77F053480F47A2C08137F7D04A86ED30A38C4D0637990C4B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050682Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:17.255{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50750-false10.0.1.12-8000- 23542300x800000000000000050681Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:18.638{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D7B53A2CCD1AD4CEE2A4BEF32F9C65,SHA256=B145B3E5C5E61E4C05983E859B8A0E06BD725BB3896F7A20F2876D1CD956FDD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027394Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:18.935{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4EB7DBF52EB6DA79CB8EEF3F0EA065,SHA256=7F7770DCBFD416CBDAFF584EE211530F4C0EC90736C37035D78B7275EAC2D1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027395Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:19.951{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFBA9F2E3405BC17012639C0B0804CC,SHA256=47CD27745CEFEE1A15A02E54F98B0742E1BEE01631F1390F9770E6AD02D95CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050683Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:19.669{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E46C276DD431723C3B8D0A76B99EC9F,SHA256=294C48991F02D2D5D584259805BCC49E226A32122F470646BDDA79AF7CFF2867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027397Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:20.967{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C73A9310790B420BC6AEAD49CB7F8D3,SHA256=FCC6ACEB34C12C2DD07CC5EC55D3360D50BBBA104BE490AF74C438698787B847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050684Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:20.684{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00B9B1B1CF1F439630811FFB901157A,SHA256=EE3C100F4331A4CF00A85E489F38DA9AFAD3D4DB10EB1E530AEB41AB6895E0DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027396Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:16.678{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027398Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:21.982{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3C8008065A46FC900286A8C26E11D3,SHA256=1D7F840FF0F2CCE4F1AC182596BFD3693FA09469346D1276B2CE94817A10D357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050686Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:21.700{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548EDC1C9D203390A526449BEA6700E8,SHA256=35F480942F166ECB02EC38D952DEE0BF835FD459CE9150220F669AA9DD7C1839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050685Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:21.231{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8831C9E3499C9BDD92657FB406349B10,SHA256=5A2C3D4431576F2780CA01A321CA249FC44F24FC5DC0ACBE67AF8BD0B1120ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050687Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:22.700{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA696E8839904C2CB3B3A308E8F3CFE,SHA256=3B19D9CE000CA80EF9AA2006DEE2F6A2DF9C42873F89070CBECE0A60CE3B9813,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027425Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-651E-6140-A806-00000000F101}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027424Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027423Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027422Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027421Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027420Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027419Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027418Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027417Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027416Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027415Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-651E-6140-A806-00000000F101}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027414Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.638{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-651E-6140-A806-00000000F101}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027413Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.639{4A7D70D7-651E-6140-A806-00000000F101}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027412Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.357{4A7D70D7-651E-6140-A706-00000000F101}27563856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027411Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-651E-6140-A706-00000000F101}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027410Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027409Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027408Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027407Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027406Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027405Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027404Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027403Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027402Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027401Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-651E-6140-A706-00000000F101}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027400Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.138{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-651E-6140-A706-00000000F101}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027399Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.139{4A7D70D7-651E-6140-A706-00000000F101}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050688Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:23.731{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D99D8512BEC8C4A21CD1E8F7DFAAC7E,SHA256=6EF8AA5EA37740B54956F17773590417E206237BC9AAEB61ABAAFDA645C95C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027441Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.513{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F02CFC80466C0CD208912ACF0215FC5,SHA256=80BFED565877D69799B79744AF5825AE89D7AD82430FA35AA276BF00B73931DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027440Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.513{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65FA29E8A217F944596A9E6AC539FA0,SHA256=CE5089658DF044D9E612C26C86FBE7C30A012281CD6D973D7A30E69A6E44A439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027439Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.513{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5259834D7E76DCA90603D3E6CA486A29,SHA256=070063D6F186D68F10E519100CBDE63EEAF5A04601BEB1AE50C923EDF7CBD65F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027438Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-651F-6140-A906-00000000F101}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027437Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027436Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027435Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027434Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027433Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027432Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027431Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027430Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027429Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027428Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-651F-6140-A906-00000000F101}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027427Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.310{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-651F-6140-A906-00000000F101}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027426Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:23.311{4A7D70D7-651F-6140-A906-00000000F101}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000050690Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:22.380{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50751-false10.0.1.12-8000- 23542300x800000000000000050689Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:24.747{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D2661FCDCDD9B61DE9A86C36D31B99,SHA256=857D8BFB898DFAE98C74E5BD170A05CD1DAA88D8FBC5A45F31BCB807340460A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027442Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:24.342{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE298055BC0DFE67E93923DEDEF5A46,SHA256=4D3E2CA12E3606AF236475A1E54E0F9573C764D498599DF46E81E080A45F8678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050691Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:25.794{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51211A4A806C472268619D647457E4FB,SHA256=DD7F7008E37B76A86797E2856F44ABF8B404EB54B70010CD516748A722A2C4DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027471Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6521-6140-AB06-00000000F101}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027470Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027469Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027468Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027467Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027466Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027465Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027464Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027463Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027462Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027461Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6521-6140-AB06-00000000F101}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027460Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.935{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6521-6140-AB06-00000000F101}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027459Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.936{4A7D70D7-6521-6140-AB06-00000000F101}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027458Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.654{4A7D70D7-6521-6140-AA06-00000000F101}22563564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000027457Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:22.709{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027456Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.466{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FC420060BF49B4E7DEC9ABA0A5781D,SHA256=068E5C28439169C2712B7E2B711519D479D0164A805FCA5F4EA83534A5DDD2E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027455Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6521-6140-AA06-00000000F101}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027454Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027453Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027452Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027451Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027450Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027449Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027448Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027447Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027446Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027445Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-6521-6140-AA06-00000000F101}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027444Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.435{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6521-6140-AA06-00000000F101}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027443Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:25.436{4A7D70D7-6521-6140-AA06-00000000F101}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050692Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:26.809{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAE7C29584CD76B5BF15DDAFB707439,SHA256=B59C8F5F58A0CE05D05FB8F4E89277E1A6C25CF1C5E1FB0A7AFC520AE15A46CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027488Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.794{4A7D70D7-6522-6140-AC06-00000000F101}964968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027487Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6522-6140-AC06-00000000F101}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027486Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027485Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027484Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027483Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027482Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027481Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027480Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027479Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027478Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027477Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-6522-6140-AC06-00000000F101}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027476Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.607{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6522-6140-AC06-00000000F101}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027475Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.608{4A7D70D7-6522-6140-AC06-00000000F101}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027474Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.482{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8737CB6133DC1C04993091215ED7AD12,SHA256=6B2E756D048DC0035951F652A44920A8D63103E3E0CC448D5BE4E931A854505C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027473Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.451{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F02CFC80466C0CD208912ACF0215FC5,SHA256=80BFED565877D69799B79744AF5825AE89D7AD82430FA35AA276BF00B73931DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027472Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:26.138{4A7D70D7-6521-6140-AB06-00000000F101}4123160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050693Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:27.825{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC04102213598D21881C703ABD432F5C,SHA256=936E45F256BE38A8AAE58776725930CF87BA773A3DAF8DBC26B9AE51FDD8D36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027503Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.623{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=394EFDCBDB1CF318346D8D5F76F31C1B,SHA256=53EF0E6F4AFBE6630C82EBA5310AC0166F669B11F992B814BEF89966BC0B72A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027502Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6523-6140-AD06-00000000F101}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027501Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027500Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027499Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027498Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027497Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027496Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027495Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027494Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027493Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027492Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-6523-6140-AD06-00000000F101}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027491Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.560{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6523-6140-AD06-00000000F101}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027490Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.562{4A7D70D7-6523-6140-AD06-00000000F101}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027489Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:27.513{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835E27DC43110748B20E63BFFD82C060,SHA256=7F00C064CF85C2A5BAA29B813BC8DEAF0453C6AC53597B4D87B5207F53865051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050694Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:28.856{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C50D176A5D82310318E4E9DC3EA6FA,SHA256=8082DE84A2C166E66EEB7D0D11A35E6B58A4225A9B344115E222B3D32983E227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027504Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:28.529{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCC8A7364FD8C76EC875CC8BD211ECB,SHA256=FC1F282219D4DE341F0FBCC3BB5DA04B97B6552AB2D36E4C7EA472147B890BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050696Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:28.301{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50752-false10.0.1.12-8000- 23542300x800000000000000050695Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:29.887{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C27CAE47AC8F60580B31DB01BC21D18,SHA256=7DF02CB3AEEF9DBD4243ADB5D6DD3CE9B3A18D87B0CEDD106DD23CF14C01B02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027505Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:29.544{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6445E7964CD6703906690BF91D0C6F,SHA256=9EEC2F962B11FF57A52AB1610FF1AF75A04BF9C66830853B4FB75C621F76BCDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050697Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:30.887{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA11E0B6AE543C025F937661505E3FC6,SHA256=102A4B369E06A95D9FEE3B1623CB295B10A76F09CC2B9518DE34228EEA92A88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027506Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:30.591{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FE81778A1F0277F1C088319C889947,SHA256=6D3D881FCCD848ABF2FC44F7AFEEB3CF41175625FC34007234B1F84DEA276148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050709Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.919{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2AEBB5288C31F774DCB70DEFC3B7D8,SHA256=4104B05DE7E750B344E811B754B65D6B7F286C325A15E16C57100389237CA459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027507Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:31.669{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0628EA160A77DBE75BB1A80DF27D061,SHA256=F5EC1142ADE56D08B183B4424D2169291900799C34D151ED8842F7B775FDA3E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050708Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.528{C8F4C507-4938-6140-1200-00000000F001}6201312C:\Windows\System32\svchost.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000050707Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.localInvDBSetValue2021-09-14 09:02:31.528{C8F4C507-4938-6140-1200-00000000F001}620C:\Windows\System32\svchost.exeHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\fin7_jssloader.exeBinary Data 10341000x800000000000000050706Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.512{C8F4C507-4938-6140-1200-00000000F001}6204220C:\Windows\System32\svchost.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050705Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.512{C8F4C507-4938-6140-1200-00000000F001}6204220C:\Windows\System32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050704Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.512{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050703Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.512{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050702Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.512{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050701Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.512{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050700Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.512{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050699Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.512{C8F4C507-5C87-6140-B607-00000000F001}33722840C:\Windows\Explorer.EXE{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050698Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:31.510{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe1.0.0.0JsrWJsrW-JsrW.exe"C:\Temp\fin7_jssloader.exe" C:\Temp\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=122CB55F1352B9A1AEAFC83A85BFB165,SHA256=C328F48C5F4A2C2441BCD0B0C0551547CA254F7EBBB46D30D357E962D8330063,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x800000000000000027509Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:28.709{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027508Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:32.685{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26445F231BFB919210791C19BE613461,SHA256=1DEEB6ECC91F8E623189DF6BF2DA2BCCBC0E02A32403AFC3FF4623214AC72905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050734Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.934{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E66C6ED3951F6568FB73EB989C47F5,SHA256=F76A587155EA50ABDCFE784EFB29A80B80EA22A0118776E3E085942B9C4172B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050733Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.919{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050732Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.919{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050731Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.731{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050730Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.731{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050729Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.684{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x800000000000000050728Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.669{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x800000000000000050727Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.684{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4,IMPHASH=EE3767E8CDC80CCB91A8FC0A7407A4A9trueMicrosoft WindowsValid 10341000x800000000000000050726Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.684{C8F4C507-4938-6140-1600-00000000F001}13244504C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050725Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.669{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 10341000x800000000000000050724Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.669{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050723Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.653{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x800000000000000050722Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.622{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 10341000x800000000000000050721Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.653{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050720Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.653{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050719Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.512{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 10341000x800000000000000050718Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.637{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050717Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.637{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050716Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.637{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050715Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.497{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x800000000000000050714Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.451{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000050713Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.373{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 23542300x800000000000000050712Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.528{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6A7594555DAF12238279E1E61732CFF,SHA256=B7AFD0A9C62D47A6503406E00195FFB763CE1D6F241451CD32C5EB4484711475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050711Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.528{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6533AFBE7B1DDD793F4292A436B87D9F,SHA256=FBC42AAA8883BADA95F53D8931ABD737A8D3C2987D362B75A98BD6400688EE1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050710Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:32.340{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050808Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.965{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5576944C24CDDFE62CC15DEED5BF657,SHA256=2216EA7F3F0C20D2E97DE66F4B3512CEC1E7981280AB01A3C5D2BFC1B4A261FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027510Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:33.779{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA27A2959274146589FDAD6B01936C,SHA256=B113D6FDC335AF913561D718BBDA4EBA29F6CA33399A7D13AC41C82F0260DBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050807Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.669{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6A7594555DAF12238279E1E61732CFF,SHA256=B7AFD0A9C62D47A6503406E00195FFB763CE1D6F241451CD32C5EB4484711475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050806Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.669{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDA7256214E059876BE038F8ECFCE4F,SHA256=D7453915E39FDDB7112FDB6EEB73D5879110CBC6CF0C549380A0100EFBAA281F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050805Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.622{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAC814D1DC1A5D3D3F4F66741C9A87B,SHA256=CFE23A5D58A0493734A8EE98ED7EF07BD36D184B118E0485C8BCB428314E0709,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000050804Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.497{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4,IMPHASH=EE3767E8CDC80CCB91A8FC0A7407A4A9trueMicrosoft WindowsValid 10341000x800000000000000050803Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.497{C8F4C507-4938-6140-1600-00000000F001}13244504C:\Windows\system32\svchost.exe{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050802Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.497{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x800000000000000050801Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.481{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 10341000x800000000000000050800Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.481{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000050799Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.465{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x800000000000000050798Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.465{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 10341000x800000000000000050797Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.450{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050796Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.450{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050795Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.450{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050794Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.450{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-6497-6140-4509-00000000F001}6360C:\Windows\helppane.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050793Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-63C3-6140-2509-00000000F001}3328C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050792Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-63C3-6140-2409-00000000F001}2408C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050791Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-628F-6140-F508-00000000F001}6204C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050790Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-61C9-6140-8D08-00000000F001}3728C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050789Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-61C9-6140-8C08-00000000F001}7116C:\Program Files (x86)\Google\Update\1.3.36.102\GoogleCrashHandler.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050788Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050787Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050786Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050785Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-5C86-6140-AD07-00000000F001}4252C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050784Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-5C85-6140-AA07-00000000F001}3848C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050783Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.435{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-5C84-6140-A407-00000000F001}720C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050782Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-5C83-6140-A107-00000000F001}2860C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050781Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-49C2-6140-9200-00000000F001}2952C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050780Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4966-6140-7E00-00000000F001}2380C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050779Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4966-6140-7D00-00000000F001}3980C:\Windows\system32\WinrsHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050778Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-495A-6140-7B00-00000000F001}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050777Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4959-6140-7900-00000000F001}504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050776Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4959-6140-7800-00000000F001}3528C:\Windows\system32\WinrsHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050775Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4959-6140-7700-00000000F001}3996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050774Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4959-6140-7600-00000000F001}3988C:\Windows\system32\WinrsHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050773Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.419{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050772Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-494A-6140-4500-00000000F001}3656C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050771Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-494A-6140-4400-00000000F001}3644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050770Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4949-6140-3700-00000000F001}3356C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050769Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-3300-00000000F001}3144C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050768Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-3100-00000000F001}2028C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050767Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-3000-00000000F001}2480C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050766Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050765Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050764Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050763Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-2B00-00000000F001}2924C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050762Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-2A00-00000000F001}2916C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050761Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050760Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-2800-00000000F001}2884C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050759Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050758Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4948-6140-2500-00000000F001}2780C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050757Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4941-6140-2300-00000000F001}2628C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050756Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-493C-6140-2200-00000000F001}2552C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050755Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-493C-6140-2100-00000000F001}2516C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050754Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.403{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4939-6140-1F00-00000000F001}2120C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050753Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-1700-00000000F001}1408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050752Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050751Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050750Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050749Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-1300-00000000F001}688C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050748Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-1200-00000000F001}620C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050747Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-1100-00000000F001}408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050746Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050745Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-0F00-00000000F001}364C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050744Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-0E00-00000000F001}1008C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050743Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4938-6140-0D00-00000000F001}904C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050742Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4937-6140-0C00-00000000F001}848C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050741Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.387{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000050740Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.372{C8F4C507-6528-6140-6009-00000000F001}44002864C:\Windows\system32\wbem\wmiprvse.exe{C8F4C507-4936-6140-0900-00000000F001}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000050739Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.356{C8F4C507-6527-6140-5F09-00000000F001}6068ATTACKRANGE\AdministratorC:\Temp\fin7_jssloader.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-158.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000050738Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.293{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=B7E2FC98A721415DE1B2A77D9A7B95ED,SHA256=CA6EE939BAD0EF32A1A62D1EA6D7D29006889FF6C4626650F9CD38FD6C27B87D,IMPHASH=F041BC2D00F8EE54536427C63882D791trueMicrosoft WindowsValid 734700x800000000000000050737Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.122{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\adsldp.dll10.0.14393.4530 (rs1_release.210705-0736)ADs LDAP Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationoledsldpMD5=F4BFB44AAC8977FFC6F1519527C1B033,SHA256=3EC8D3E809452BFF77A5A3E17CA3296F4948EBD9D7E82FE3BB597E2922E43CE8,IMPHASH=06F3955AEDF13D764DE44A744645136FtrueMicrosoft WindowsValid 734700x800000000000000050736Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.090{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=56B8474D76B26C199D81A49E81CAF633,SHA256=04C0E64FE6FBA0B386DC6BC7A3E3E8DFBD09AA40E3FFB2CCE46A3A6CE757BC14,IMPHASH=35BEBC59B0F5CEF4DADC41EEEFB3D8BDtrueMicrosoft WindowsValid 734700x800000000000000050735Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.075{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=5AA1848A07F46DEEFAFA8E1A67CD57E4,SHA256=7F8A82CBA2F9B09C8A0CCC9226C6D10AB9F8640703B98558915B9CDF15F06971,IMPHASH=CC98263EE2F3077F343FAF0FEC85C903trueMicrosoft WindowsValid 23542300x800000000000000027511Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:34.826{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7711CF7A3A85AE0EFF425BE82D717A63,SHA256=E96DCE7ED36C6D5875FA48125E2CEA43E2990E1358746A5CFCA31BC95E06F8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050827Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.782{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-115MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050826Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.296{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=16F261025A00439C8ACAB3FCFD71F26F,SHA256=C990A99CFCEA3E4C59CC4AB92049D3C808B24A387C39B7CECF992E2A02150F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050825Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.296{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5C377B1229D68955B44D733DC03DEE45,SHA256=CB5148F3D2D7DAA6EEE3D4FD7B010F58B6EC1C38B5A6038D12CB4F544D948246,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050824Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.138{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-652A-6140-6209-00000000F001}6220C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050823Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.138{C8F4C507-4936-6140-0A00-00000000F001}6241320C:\Windows\system32\services.exe{C8F4C507-652A-6140-6209-00000000F001}6220C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050822Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.090{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050821Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.090{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050820Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.090{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050819Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.090{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050818Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.090{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-652A-6140-6209-00000000F001}6220C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050817Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.090{C8F4C507-4936-6140-0A00-00000000F001}6242020C:\Windows\system32\services.exe{C8F4C507-652A-6140-6209-00000000F001}6220C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050816Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.089{C8F4C507-652A-6140-6209-00000000F001}6220C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\system32\msiexec.exe /VC:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000050815Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.075{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050814Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.075{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050813Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.075{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050812Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.075{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050811Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.059{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050810Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.059{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050809Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.028{C8F4C507-4938-6140-1400-00000000F001}10643556C:\Windows\system32\svchost.exe{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\system32\wbem\wmiprvse.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027512Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:35.857{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C52F5313ACFFCF831746536ADEF4387,SHA256=F01F955A8A629272439BDB76397CDD2124AF72414171AB045DABEBB35BB42005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050836Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:35.797{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000050835Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.179{C8F4C507-6527-6140-5F09-00000000F001}6068win-dc-158.attackrange.local0fe80::d95c:c36c:7423:d3ed;::ffff:10.0.1.14;C:\Temp\fin7_jssloader.exe 23542300x800000000000000050834Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:35.139{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ECC9001ECF6DA07884D2B109CA0ADF02,SHA256=B612094E437AA2DB6FDBB87FA301846B28405C44A2826CCD0B6422A2879BD55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050833Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:35.139{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C3D426EBC8DBF898356A160D89C161DA,SHA256=FC6466C79D401A9D2492556C67539EAEBA585077CF50C320BEE391BFA065D63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050832Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:35.124{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A4FC6615A3F449D268DDFE0FF2BAAD0,SHA256=200D9B5B9172D89948C14CD1D760B3F21EC5365A842CD601473E10D26CD93D2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050831Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.193{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50754-false93.184.220.29-80http 354300x800000000000000050830Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.292{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-158.attackrange.local50753-false10.0.1.14win-dc-158.attackrange.local389ldap 354300x800000000000000050829Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:33.292{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50753-false10.0.1.14win-dc-158.attackrange.local389ldap 23542300x800000000000000050828Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:35.093{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3F25824353A7774069E8E62867FBD4,SHA256=42AC1A27F5BCCCDEB6BEBBD6CE96D07255C16284B8A7D36FE79E9C29295360E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027514Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:36.904{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D4A317D43EEF84995FE1EFF819D154,SHA256=AE5824A97405B5F24A3154571A12C4730FA6071E619D00FFAAE81FD8C8AF5E55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027513Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:33.818{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000050838Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:34.223{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50755-false10.0.1.12-8000- 23542300x800000000000000050837Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:36.107{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97B02E0DA8A5187FE3E980D1768766B,SHA256=157A0912D450BAFD6BE8EA71DD04465DDC2E901EC439C5A2391C9EBFF0F3F786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027515Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:37.951{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215B07B68197B747F3C231888FEA1553,SHA256=4B21784F673D9ABD921175873AFA09686550571D3BDAE2457A45898ED424C135,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050873Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.767{C8F4C507-5C87-6140-B607-00000000F001}33724260C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050872Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.767{C8F4C507-5C87-6140-B607-00000000F001}33724260C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050871Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.750{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050870Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.750{C8F4C507-5C86-6140-AF07-00000000F001}13323520C:\Windows\system32\taskhostw.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050869Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.735{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+11d74|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050868Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.735{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+11d74|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050867Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.735{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050866Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.735{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050865Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.735{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050864Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.719{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050863Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.719{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050862Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.719{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050861Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.704{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050860Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.704{C8F4C507-4938-6140-1600-00000000F001}13244240C:\Windows\system32\svchost.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050859Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.704{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050858Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.688{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652D-6140-6309-00000000F001}3208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7376|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050857Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.657{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050856Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.657{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050855Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.657{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050854Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.657{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050853Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.657{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050852Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.657{C8F4C507-652D-6140-6309-00000000F001}32084208C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+8b85|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050851Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.659{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2MediumMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{C8F4C507-652D-6140-6309-00000000F001}3208C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000050850Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.641{C8F4C507-652D-6140-6309-00000000F001}32084208C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7376|C:\Program Files\Mozilla Firefox\firefox.exe+5799|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050849Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.626{C8F4C507-4938-6140-1200-00000000F001}6204220C:\Windows\System32\svchost.exe{C8F4C507-652D-6140-6309-00000000F001}3208C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050848Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.626{C8F4C507-4938-6140-1200-00000000F001}6204220C:\Windows\System32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050847Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.626{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050846Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.612{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050845Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.612{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050844Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.612{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050843Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.612{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-652D-6140-6309-00000000F001}3208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050842Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.612{C8F4C507-5C87-6140-B607-00000000F001}33727096C:\Windows\Explorer.EXE{C8F4C507-652D-6140-6309-00000000F001}3208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\windows.storage.dll+15922|C:\Windows\System32\windows.storage.dll+15619|C:\Windows\System32\windows.storage.dll+154ef|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x800000000000000050841Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.620{C8F4C507-652D-6140-6309-00000000F001}3208C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000050840Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.251{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050839Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.110{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CB2CD79ED243CBB1014973D5F584D0,SHA256=EA8661280C1E04EA94092758673B084D469B3886B7E2552483EF127766D41596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027516Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:38.966{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA5B83CBC5CA128B5DEBD2271357163,SHA256=2976177927F4D38EEFCB513F3A4DFADD44FF16450FFBCFC7C8A218D4C80F3BB8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000050878Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:38.985{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\.startup-incomplete2021-09-14 09:02:38.985 11241100x800000000000000050877Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:38.985{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\parent.lock2021-09-14 08:47:13.407 23542300x800000000000000050876Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:38.985{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050875Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:38.641{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A05028622EB4021842C8638D1704D35,SHA256=F0FBA3104B188D51975D37C8FBF08C9AF0B21F9200E73DEAC0FADB90EC1464E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050874Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:38.454{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C92609D69CB65CDF779C8F902E8CC58,SHA256=63B191DD83622C52768E1401AB760E9DBE8228D3B5EA8B8F257A9969452641D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000050996Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.954{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\favicons.sqlite-shm2021-09-14 09:02:39.954 11241100x800000000000000050995Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.954{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\favicons.sqlite-wal2021-09-14 09:02:39.954 11241100x800000000000000050994Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.954{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\places.sqlite-shm2021-09-14 09:02:39.954 11241100x800000000000000050993Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.954{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\places.sqlite-wal2021-09-14 09:02:39.954 11241100x800000000000000050992Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.938{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm2021-09-14 09:02:39.907 11241100x800000000000000050991Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.938{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal2021-09-14 09:02:39.907 10341000x800000000000000050990Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.923{C8F4C507-652D-6140-6409-00000000F001}56486180C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050989Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.923{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000050988Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.907{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm2021-09-14 09:02:39.907 10341000x800000000000000050987Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.907{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000050986Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.907{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal2021-09-14 09:02:39.907 10341000x800000000000000050985Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.893{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000050984Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:39.893{C8F4C507-652D-6140-6409-00000000F001}5648\cubeb-pipe-5648-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000050983Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:39.893{C8F4C507-652D-6140-6409-00000000F001}5648\cubeb-pipe-5648-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000050982Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.893{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050981Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.893{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050980Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.893{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7D78C8EBD00ED43547BD53725E381D,SHA256=77FBF7177E50E6704966D4B1DDCCCC195305943F3413E0B115A52BD184A02E3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050979Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.860{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000050978Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.860{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000050977Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.860{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000018AB2A73E5F) 10341000x800000000000000050976Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.846{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b52aff|C:\Program Files\Mozilla Firefox\xul.dll+73e84|C:\Program Files\Mozilla Firefox\xul.dll+12470d8|C:\Program Files\Mozilla Firefox\xul.dll+8ad21|C:\Program Files\Mozilla Firefox\xul.dll+8ac78|C:\Program Files\Mozilla Firefox\xul.dll+abdcbe|C:\Program Files\Mozilla Firefox\xul.dll+8723f|C:\Program Files\Mozilla Firefox\xul.dll+c2fb2b|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+1bb4759|C:\Program Files\Mozilla Firefox\xul.dll+1b5f3a6|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 10341000x800000000000000050975Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.846{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050974Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.834{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050973Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.814{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c 10341000x800000000000000050972Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.814{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000050971Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.814{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000050970Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.814{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000050969Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.814{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000050968Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.814{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050967Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.814{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000050966Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050965Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000050964Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x800000000000000050963Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x800000000000000050962Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572 10341000x800000000000000050961Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000050960Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 23542300x800000000000000050959Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1E10C3BF9217FD76AD5276CEF66962,SHA256=7F0737ED705BBCA6916A47F7DF58A13ECB191CA9CDDBC888529903FB7F1502CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050958Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000050957Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.797{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000050956Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.782{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm2021-09-14 09:02:39.782 11241100x800000000000000050955Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.782{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal2021-09-14 09:02:39.782 23542300x800000000000000050954Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.782{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000050953Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.782{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm2021-09-14 09:02:39.782 11241100x800000000000000050952Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.782{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal2021-09-14 09:02:39.782 10341000x800000000000000050951Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.782{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050950Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.782{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050949Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.782{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000050948Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:39.782{C8F4C507-652F-6140-6509-00000000F001}6596\chrome.5648.2.23168850C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000050947Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.782{C8F4C507-652D-6140-6409-00000000F001}56485252C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000050946Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:39.782{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.2.23168850C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000050945Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:39.766{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.1.167310257C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000050944Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.766{C8F4C507-652D-6140-6409-00000000F001}56486416C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000050943Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:39.766{C8F4C507-652D-6140-6409-00000000F001}5648\gecko-crash-server-pipe.5648C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000050942Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.753{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050941Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.753{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b5f85d|C:\Program Files\Mozilla Firefox\xul.dll+b6f7fa|C:\Program Files\Mozilla Firefox\xul.dll+b4ce69|C:\Program Files\Mozilla Firefox\xul.dll+b625a0|C:\Program Files\Mozilla Firefox\xul.dll+1a1a5c2|C:\Program Files\Mozilla Firefox\xul.dll+19205a2|C:\Program Files\Mozilla Firefox\xul.dll+191e8cd|C:\Program Files\Mozilla Firefox\xul.dll+3858d8|C:\Program Files\Mozilla Firefox\xul.dll+fb7376|C:\Program Files\Mozilla Firefox\xul.dll+fb6c0d|C:\Program Files\Mozilla Firefox\xul.dll+fb6e03|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457 10341000x800000000000000050940Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.753{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 11241100x800000000000000050939Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.735{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 23542300x800000000000000050938Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.735{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000050937Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.735{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 10341000x800000000000000050936Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.735{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050935Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.704{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d 10341000x800000000000000050934Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.704{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x800000000000000050933Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.704{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82 10341000x800000000000000050932Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.704{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca 10341000x800000000000000050931Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.704{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x800000000000000050930Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.704{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d|C:\Program Files\Mozilla Firefox\xul.dll+16c6344 10341000x800000000000000050929Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.704{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6|C:\Program Files\Mozilla Firefox\xul.dll+175d1af|C:\Program Files\Mozilla Firefox\xul.dll+16f2f82|C:\Program Files\Mozilla Firefox\xul.dll+16c6344|C:\Program Files\Mozilla Firefox\xul.dll+1b549ca|C:\Program Files\Mozilla Firefox\xul.dll+16f342d 10341000x800000000000000050928Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.688{C8F4C507-652D-6140-6409-00000000F001}56485252C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050927Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.672{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050926Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.672{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050925Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.672{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050924Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.672{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050923Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.672{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050922Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.672{C8F4C507-652D-6140-6409-00000000F001}56485000C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050921Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.680{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5648.1.1673102579\805241212" -childID 1 -isForBrowser -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 223 -prefMapSize 244146 -jsInit 1180 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5648 "\\.\pipe\gecko-crash-server-pipe.5648" 2096 28abc21c338 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x800000000000000050920Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:39.657{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.1.167310257C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000050919Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.517{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 10341000x800000000000000050918Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.517{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 10341000x800000000000000050917Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.517{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+272f91|C:\Program Files\Mozilla Firefox\xul.dll+37d64e|C:\Program Files\Mozilla Firefox\xul.dll+cf5ac6 11241100x800000000000000050916Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.329{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm2021-09-14 09:02:39.268 11241100x800000000000000050915Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.329{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal2021-09-14 09:02:39.268 11241100x800000000000000050914Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.299{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-09-14 09:02:39.250 11241100x800000000000000050913Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.299{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-09-14 09:02:39.250 354300x800000000000000050912Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:37.352{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50756-false10.0.1.12-8089- 23542300x800000000000000050911Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.268{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000050910Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.268{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm2021-09-14 09:02:39.268 11241100x800000000000000050909Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.268{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal2021-09-14 09:02:39.268 23542300x800000000000000050908Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.268{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000050907Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.250{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-09-14 09:02:39.250 11241100x800000000000000050906Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.250{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-09-14 09:02:39.250 11241100x800000000000000050905Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.250{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\cookies.sqlite-shm2021-09-14 09:02:39.172 11241100x800000000000000050904Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.250{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\cookies.sqlite-wal2021-09-14 09:02:39.172 11241100x800000000000000050903Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.219{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionCheckpoints.json.tmp2021-09-14 09:02:39.219 23542300x800000000000000050902Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.188{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\doomed\9148MD5=DE2F1363CB9D5556B5C9A62B3F9E23C2,SHA256=B70E3980106EBD7D7254C04A35B43529E84521DBB61D9AE6785FC4CE974939A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050901Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.172{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000050900Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.172{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\cookies.sqlite-shm2021-09-14 09:02:39.172 11241100x800000000000000050899Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.172{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\cookies.sqlite-wal2021-09-14 09:02:39.172 10341000x800000000000000050898Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.157{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050897Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.157{C8F4C507-4938-6140-1600-00000000F001}13244240C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050896Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.157{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000050895Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:39.157{C8F4C507-652F-6140-6509-00000000F001}6596\chrome.5648.0.161639572C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000050894Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.157{C8F4C507-652D-6140-6409-00000000F001}56486416C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000050893Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:39.157{C8F4C507-652F-6140-6509-00000000F001}6596\gecko-crash-server-pipe.5648C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000050892Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.141{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050891Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.141{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050890Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.094{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050889Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.094{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050888Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.094{C8F4C507-652D-6140-6409-00000000F001}56485252C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050887Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.094{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050886Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.094{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050885Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.094{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050884Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.094{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050883Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.094{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050882Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.094{C8F4C507-652D-6140-6409-00000000F001}56485000C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+1756ea4|C:\Program Files\Mozilla Firefox\xul.dll+9fbc79|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050881Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.098{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5648.0.1616395721\1303029033" -parentBuildID 20210903235534 -prefsHandle 1340 -prefMapHandle 1332 -prefsLen 1 -prefMapSize 244146 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5648 "\\.\pipe\gecko-crash-server-pipe.5648" 1400 28abc265138 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2MediumMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x800000000000000050880Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:39.094{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.0.161639572C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000050879Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:39.094{C8F4C507-652D-6140-6409-00000000F001}5648\gecko-crash-server-pipe.5648C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051238Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.989{C8F4C507-652D-6140-6409-00000000F001}56486180C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051237Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.973{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051236Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.973{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051235Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.957{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027517Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:39.997{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076362C3E2137988D8F44B32E45FBB38,SHA256=C8BA1F98F6F6C5057988B078227F854B34963452B814BAC33D3F78D1830D491F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051234Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.957{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051233Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.942{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000051232Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:40.942{C8F4C507-652D-6140-6409-00000000F001}5648\cubeb-pipe-5648-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000051231Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:40.942{C8F4C507-652D-6140-6409-00000000F001}5648\cubeb-pipe-5648-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051230Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.926{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051229Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.926{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000051228Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:40.926{C8F4C507-652F-6140-6509-00000000F001}6596\chrome.5648.6.72560470C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051227Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.926{C8F4C507-652D-6140-6409-00000000F001}56485252C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c272c|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000051226Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:40.926{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.6.72560470C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000051225Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:40.926{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.5.116432195C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051224Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.926{C8F4C507-652D-6140-6409-00000000F001}56486416C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000051223Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:40.926{C8F4C507-652D-6140-6409-00000000F001}5648\gecko-crash-server-pipe.5648C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000051222Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.926{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A113FB50F9E40E44F4E955167269A60E,SHA256=6E3F88777DF2EE50C538B1F3BBF33A8C132BA217BC03A87E8927EEF32C1054F0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000051221Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.593{C8F4C507-652D-6140-6409-00000000F001}5648a1887.dscq.akamai.net02.22.118.162;2.22.117.227;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051220Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.556{C8F4C507-652D-6140-6409-00000000F001}5648pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051219Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.550{C8F4C507-652D-6140-6409-00000000F001}5648pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com044.225.87.131;35.155.229.139;52.37.158.247;52.42.129.205;52.24.163.249;34.216.113.46;52.43.83.211;34.208.57.189;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051218Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.254{C8F4C507-652D-6140-6409-00000000F001}5648a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a194;2a02:26f0:1700:f::1737:a1a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051217Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.251{C8F4C507-652D-6140-6409-00000000F001}5648a1887.dscq.akamai.net02.22.117.227;2.22.118.162;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051216Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.250{C8F4C507-652D-6140-6409-00000000F001}5648r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:2.22.118.162;::ffff:2.22.117.227;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051215Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.249{C8F4C507-652D-6140-6409-00000000F001}5648r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:2.22.117.227;::ffff:2.22.118.162;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051214Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.027{C8F4C507-652D-6140-6409-00000000F001}5648d2nxq2uap88usk.cloudfront.net02600:9000:225e:6e00:a:da5e:7900:93a1;2600:9000:225e:c800:a:da5e:7900:93a1;2600:9000:225e:bc00:a:da5e:7900:93a1;2600:9000:225e:9c00:a:da5e:7900:93a1;2600:9000:225e:fe00:a:da5e:7900:93a1;2600:9000:225e:f000:a:da5e:7900:93a1;2600:9000:225e:1800:a:da5e:7900:93a1;2600:9000:225e:6c00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051213Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.024{C8F4C507-652D-6140-6409-00000000F001}5648d2nxq2uap88usk.cloudfront.net013.32.22.10;13.32.22.13;13.32.22.114;13.32.22.105;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051212Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.007{C8F4C507-652D-6140-6409-00000000F001}5648example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051211Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.007{C8F4C507-652D-6140-6409-00000000F001}5648example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051210Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.952{C8F4C507-652D-6140-6409-00000000F001}5648prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051209Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.952{C8F4C507-652D-6140-6409-00000000F001}5648prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051208Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.936{C8F4C507-652D-6140-6409-00000000F001}5648detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051207Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051206Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x800000000000000051205Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051204Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051203Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051202Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051201Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051200Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051199Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051198Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051197Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051196Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051195Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051194Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051193Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051192Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051191Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x800000000000000051190Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x800000000000000051189Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x800000000000000051188Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051187Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051186Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56485252C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051185Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.858{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051184Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051183Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051182Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=983DA4F11DDB20B143E960BE6B382665,SHA256=19520CE42F3C30AFDF9CBD14D05D994B368DFA22AB7E6DCBEF5E0FFFC5E6DABC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051181Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051180Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=FA3DBF4E8BC6B6FE5DF481A8E1B378A5,SHA256=A6526CD469C2271C04883DA7F19DD464E77D92B6DDFEC61D77FD180ADCD0C51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051179Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051178Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051177Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051176Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051175Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051174Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-652D-6140-6409-00000000F001}56485000C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051173Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5648.5.1164321952\1212369741" -childID 3 -isForBrowser -prefsHandle 4000 -prefMapHandle 4060 -prefsLen 6712 -prefMapSize 244146 -jsInit 1180 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5648 "\\.\pipe\gecko-crash-server-pipe.5648" 4080 28ac2842d38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 11241100x800000000000000051172Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.842{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051171Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=351687FA5C319A75C7E4F379A4234B8E,SHA256=3600A38ED93B06855B1D159D125898E13914AE05E09C21DC59D178763CFE491F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051170Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\tmp\d26fdd04-7c52-44a0-824c-e94455d9123b2021-09-14 09:02:40.826 11241100x800000000000000051169Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051168Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=FA34AE54CD94156F1914E060A83E03DA,SHA256=3AA0840A9F0BA98296FFECA5C8292471C3F7D5FC6D9DB65898F2F0AF1AF18A95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051167Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051166Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=F696865630E4B60AF026910C8078651D,SHA256=9B3D256D25C848DCA99B04C6830ADB318CC1E1F249B7503402DA7331DCDDCE06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051165Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051164Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=2081A9B8AE83EA7AD7FE5EB82E854D55,SHA256=EC10DADDDD8F7F01E8E80A3B354A362119CFEA8F0091369B7F6386273EE23E4C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051163Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051162Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=9E869A3367F65C49A06ADFD3D4C480E9,SHA256=44857C0DE02D79CC455971906F9FDA6C2BAE1C15725EE0F0606400ADB04C4643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051161Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C003FBE8441EFF6A81CEEAE77AB09049,SHA256=E79A4C77DBDCA865A07A63FC575376DEBC45F681D9D7969761A0AFC5FE5AC083,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000051160Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.5.116432195C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000051159Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051158Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.826{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=9F531E9B5C63E6FA32FEC14334B19266,SHA256=9DCDB0126AA93DAB0F60D47B9EF9A0A2297252BD1DFFBF027089730070CA156A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051157Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051156Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=B29B19A9CE3C757251C5DDF02EF9E248,SHA256=80D8FAEFBA9C3B32E985F5E8055E605550AC5101742838AC51C349300D89B644,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051155Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051154Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=CA6DC3EFA462EF52F466D289D7D31838,SHA256=AAB8179598B9E45772230C34B52811C7B4A796E5F4FADB338A59F6C7FC5B4411,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051153Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051152Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=11311AD661972EEC72972A1322FCDD64,SHA256=E106193B3414FDB97B3F4A9E7250F712F06C62C5F3A4A4298536DE391460743C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051151Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051150Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=55964D824815748BA316EA8907A431FD,SHA256=435A18E59F77FB9102BE0CF7540F14C705FAAE11C7099B03F04F9E0430B429F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051149Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051148Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.811{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=5F64B62A8A66B7FF174479242F3F5AAC,SHA256=BC186ADF4423737FF5A1A8A4BD29209A78C1E96251D545F89034413D991408D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051147Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.810{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051146Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.810{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=572FE7AB7C497FDE462069C7D9C57762,SHA256=3F0844EE9E282C7B201BED6ACE84BE5DD4F610A04F55BE8ED8A9E2C0FF1FAF86,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051145Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.809{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051144Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.809{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=729B78908B4D417B5A1ACC71B6A145C0,SHA256=767AB85EC570EBF52801B7C7279444F87C84EA049329866040F2D3D80A5BB27F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051143Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.807{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051142Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.806{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=665A7EB811201449A775A8D34B7295E4,SHA256=82886ACAD25138A6F20875B8B117B9D6B9FC3C15B64138994AF245A26140AF38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051141Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051140Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=0C40CADAD00C450C95B95BA81AF48E61,SHA256=1B3FC48964E9494C267710819D58470C033E8D80C2A3CD494BFF995C3E285BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051139Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051138Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 10341000x800000000000000051137Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051136Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=3A6EEA2C945F95D5E45FDD02B4D5AF90,SHA256=6C5C15F2D0B056BBCCBB617383F0092716880CBCB3E34F630D8A6024AC46CC73,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051135Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051134Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=3A6EEA2C945F95D5E45FDD02B4D5AF90,SHA256=6C5C15F2D0B056BBCCBB617383F0092716880CBCB3E34F630D8A6024AC46CC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051133Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\update-config.jsonMD5=7ABFFE156CFCF61314ACF60B8B8CADE8,SHA256=D33B384DA2A6542D3F4892AAE6CAFCB2B769D867533F71EBF28DACA82EF68CAA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051132Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051131Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=69B58D6F4B1A8A8AE7471E931234EEDC,SHA256=1B365B21336415D7C578EF63088919B8560CCA100EE2BB9355641F9D4E5B992A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051130Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051129Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.789{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=B20E1E23C3202B37CEA588DFAE725D8E,SHA256=6D298C359601F5592C91814C8751302EDBD28CED2DA8BBD422FA2B38F4207806,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051128Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.742{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b7b74f|C:\Program Files\Mozilla Firefox\xul.dll+1ab2937|C:\Program Files\Mozilla Firefox\xul.dll+efa040|C:\Program Files\Mozilla Firefox\xul.dll+bfb6f4|C:\Program Files\Mozilla Firefox\xul.dll+3136cd|C:\Program Files\Mozilla Firefox\xul.dll+399c9b|C:\Program Files\Mozilla Firefox\xul.dll+39949d|C:\Program Files\Mozilla Firefox\xul.dll+be61ca|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355 10341000x800000000000000051127Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.742{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c|C:\Program Files\Mozilla Firefox\xul.dll+be9f77 10341000x800000000000000051126Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.711{C8F4C507-652D-6140-6409-00000000F001}56486180C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051125Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.657{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051124Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.657{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051123Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051122Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051121Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\4A2667FA6715328C3A4B0BB0D7EF2FD0F30BCF632021-09-14 08:47:16.623 10341000x800000000000000051120Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051119Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051118Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051117Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051116Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051115Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051114Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051113Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.642{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051112Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.626{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051111Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.626{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051110Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.626{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051109Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.626{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051108Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.626{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000051107Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.626{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 11241100x800000000000000051106Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.608{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\16C6B40DA5C76207C826469FD2E4A167E190D4CF2021-09-14 08:47:16.623 23542300x800000000000000051105Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.606{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5987035287A7F43F011FAF72A3DBC96,SHA256=847C72C2EA1090132ADC03DBE4230871BD303BB4B74179E0CC20847F7809D8DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051104Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.589{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051103Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.589{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051102Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.589{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051101Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.589{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051100Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.589{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a799a9|C:\Program Files\Mozilla Firefox\xul.dll+9d2692|C:\Program Files\Mozilla Firefox\xul.dll+8aa7fa|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051099Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.557{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm2021-09-14 09:02:40.542 11241100x800000000000000051098Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.557{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal2021-09-14 09:02:40.542 23542300x800000000000000051097Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.557{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051096Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.542{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm2021-09-14 09:02:40.542 11241100x800000000000000051095Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.542{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal2021-09-14 09:02:40.542 23542300x800000000000000051094Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.526{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7947F324D53D186348DB1DA25645C5C7,SHA256=88002EC9E56587FC1C38AEC1ABFC22322EBAA321EF24FD5FCE1D47A7F9ECDF32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051093Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.526{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+1f02d5c 10341000x800000000000000051092Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.510{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051091Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.510{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051090Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.507{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19a6650|C:\Program Files\Mozilla Firefox\xul.dll+3813c0d|C:\Program Files\Mozilla Firefox\xul.dll+ee325d|C:\Program Files\Mozilla Firefox\xul.dll+ee28e4|C:\Program Files\Mozilla Firefox\xul.dll+edd6f4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11b2c|C:\Program Files\Mozilla Firefox\xul.dll+1814e76|C:\Program Files\Mozilla Firefox\xul.dll+166f011|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba 10341000x800000000000000051089Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.506{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19a6650|C:\Program Files\Mozilla Firefox\xul.dll+3813c0d|C:\Program Files\Mozilla Firefox\xul.dll+ee325d|C:\Program Files\Mozilla Firefox\xul.dll+ee28e4|C:\Program Files\Mozilla Firefox\xul.dll+edd6f4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11b2c|C:\Program Files\Mozilla Firefox\xul.dll+1814e76|C:\Program Files\Mozilla Firefox\xul.dll+166f011|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e 18141800x800000000000000051088Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:40.506{C8F4C507-652D-6140-6409-00000000F001}5648\cubeb-pipe-5648-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000051087Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:40.506{C8F4C507-652D-6140-6409-00000000F001}5648\cubeb-pipe-5648-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051086Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.484{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051085Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.484{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051084Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.446{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051083Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.446{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051082Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.445{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051081Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.445{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051080Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.441{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051079Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.437{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051078Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.436{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051077Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.436{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051076Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.436{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000051075Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:40.436{C8F4C507-652F-6140-6509-00000000F001}6596\chrome.5648.4.189234124C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051074Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.420{C8F4C507-652D-6140-6409-00000000F001}56485252C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051073Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.420{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000051072Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:40.420{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.4.189234124C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051071Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.418{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051070Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.400{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051069Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.408{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000051068Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:40.385{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.3.179524380C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051067Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.369{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051066Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.369{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051065Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.369{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051064Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.369{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051063Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.369{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051062Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.369{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051061Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.369{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051060Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.369{C8F4C507-652D-6140-6409-00000000F001}56486416C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051059Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.369{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA846104952021-09-14 08:47:16.192 18141800x800000000000000051058Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:40.354{C8F4C507-652D-6140-6409-00000000F001}5648\gecko-crash-server-pipe.5648C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000051057Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.142{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-50758-false127.0.0.1-50757- 354300x800000000000000051056Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:39.142{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-50758-false127.0.0.1-50757- 10341000x800000000000000051055Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.322{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051054Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051053Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051052Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051051Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051050Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051049Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051048Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051047Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051046Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051045Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051044Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051043Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051042Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051041Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051040Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051039Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051038Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051037Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051036Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051035Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051034Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051033Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.306{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051032Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.303{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051031Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.303{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 11241100x800000000000000051030Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.285{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 23542300x800000000000000051029Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.285{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051028Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.285{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 10341000x800000000000000051027Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.254{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051026Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.254{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+19d273|C:\Program Files\Mozilla Firefox\xul.dll+8e9965|C:\Program Files\Mozilla Firefox\xul.dll+8e9541|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051025Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.222{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 10341000x800000000000000051024Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.222{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 10341000x800000000000000051023Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.222{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+f140d2|C:\Program Files\Mozilla Firefox\xul.dll+1ac06a2|C:\Program Files\Mozilla Firefox\xul.dll+176afc9|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+1076ec|C:\Program Files\Mozilla Firefox\xul.dll+1268ff|C:\Program Files\Mozilla Firefox\xul.dll+1187299|C:\Program Files\Mozilla Firefox\xul.dll+901c48|C:\Program Files\Mozilla Firefox\xul.dll+902376|C:\Program Files\Mozilla Firefox\xul.dll+22f1b0 10341000x800000000000000051022Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.206{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147 10341000x800000000000000051021Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.206{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x800000000000000051020Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.206{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e 10341000x800000000000000051019Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.206{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8 10341000x800000000000000051018Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.206{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x800000000000000051017Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.206{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+e3a041|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0 10341000x800000000000000051016Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.206{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f 10341000x800000000000000051015Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.206{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+e3960c|C:\Program Files\Mozilla Firefox\xul.dll+e3ba60|C:\Program Files\Mozilla Firefox\xul.dll+c6470f|C:\Program Files\Mozilla Firefox\xul.dll+c61917|C:\Program Files\Mozilla Firefox\xul.dll+2903c0|C:\Program Files\Mozilla Firefox\xul.dll+28ff41|C:\Program Files\Mozilla Firefox\xul.dll+f7f955|C:\Program Files\Mozilla Firefox\xul.dll+176b57f|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+c63f2f|C:\Program Files\Mozilla Firefox\xul.dll+26b82b|C:\Program Files\Mozilla Firefox\xul.dll+239fc5|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+183bb12|C:\Program Files\Mozilla Firefox\xul.dll+1a53f2e|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147 10341000x800000000000000051014Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.206{C8F4C507-652D-6140-6409-00000000F001}56485252C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051013Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.156{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051012Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.156{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051011Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.156{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051010Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.156{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051009Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.156{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051008Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.156{C8F4C507-652D-6140-6409-00000000F001}56485000C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051007Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.156{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5648.3.1795243801\1960198157" -childID 2 -isForBrowser -prefsHandle 3212 -prefMapHandle 3208 -prefsLen 5878 -prefMapSize 244146 -jsInit 1180 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5648 "\\.\pipe\gecko-crash-server-pipe.5648" 3220 28ac2ff2938 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x800000000000000051006Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.156{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1A946A5F45B9007EDE074C6CC72914,SHA256=D5F2302F36BC4C065D11F698B37D1720AC513E156FD0B32266BEE796A40A2BB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051005Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.140{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000051004Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:40.124{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.3.179524380C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000051003Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.109{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-09-14 09:02:40.084 11241100x800000000000000051002Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.109{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-09-14 09:02:40.084 23542300x800000000000000051001Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.109{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F74AE7500E0788C7CA368AF72FC44E1,SHA256=1FE864E443A28DD166330046E3F04FDE018BBB47B0CA556BC5910DF4915C8773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051000Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.084{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000050999Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.084{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-09-14 09:02:40.084 11241100x800000000000000050998Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.084{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-09-14 09:02:40.084 11241100x800000000000000050997Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.053{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionCheckpoints.json.tmp2021-09-14 09:02:39.219 22542200x800000000000000051323Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.861{C8F4C507-652D-6140-6409-00000000F001}5648cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051322Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.941{C8F4C507-6531-6140-6A09-00000000F001}66085996C:\Windows\system32\conhost.exe{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051321Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.941{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-6531-6140-6A09-00000000F001}6608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051320Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.925{C8F4C507-4938-6140-1200-00000000F001}6201312C:\Windows\System32\svchost.exe{C8F4C507-6531-6140-6A09-00000000F001}6608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000051319Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.978{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local63516- 354300x800000000000000051318Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.978{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50774-false93.184.220.29-80http 354300x800000000000000051317Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.881{C8F4C507-6529-6140-6109-00000000F001}7024C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50772-false93.184.220.29-80http 354300x800000000000000051316Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.856{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50771-false52.25.31.211ec2-52-25-31-211.us-west-2.compute.amazonaws.com443https 354300x800000000000000051315Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.853{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50770-false34.208.57.189ec2-34-208-57-189.us-west-2.compute.amazonaws.com443https 354300x800000000000000051314Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.819{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50766-false34.208.57.189ec2-34-208-57-189.us-west-2.compute.amazonaws.com443https 354300x800000000000000051313Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.812{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50767-false34.208.57.189ec2-34-208-57-189.us-west-2.compute.amazonaws.com443https 10341000x800000000000000051312Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.888{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051311Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.888{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051310Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.888{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051309Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.888{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051308Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.888{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051307Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.888{C8F4C507-6527-6140-5F09-00000000F001}606832C:\Temp\fin7_jssloader.exe{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll+23cbb2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll+1aaaa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll+1aa39c(wow64)|UNKNOWN(0000000001806C94)|UNKNOWN(0000000001805A54)|UNKNOWN(0000000001805599)|UNKNOWN(0000000001800A59)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1230a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+185eb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1bb28b(wow64) 154100x800000000000000051306Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.887{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exe10.0.14393.0 (rs1_release.160715-1616)Displays system informationMicrosoft® Windows® Operating SystemMicrosoft Corporationsysinfo.exe"C:\Windows\System32\systeminfo.exe"C:\Temp\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=09FF3DC244D57B421358C4423FAD1C38,SHA256=531794D32301B83BDC58D09A2AA3A37F4FFE46107BD796187CAF3CD132D1B755,IMPHASH=C805A216BC58F0F0712773E14F26796E{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe"C:\Temp\fin7_jssloader.exe" 10341000x800000000000000051305Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.872{C8F4C507-4938-6140-1200-00000000F001}6201312C:\Windows\System32\svchost.exe{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051304Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.857{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0E115EB6719FACC8E17558E048F03F57,SHA256=0F4B70D3CA3B0A4C71A5F8F6F989C138DD93A308D0CB5A3382938D9CDECE5952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051303Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.810{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F58B83E3DAE1A6D8AC94DEC94C0EDDD0,SHA256=3DE9104192347BC750F65A50AF8F6AD0ED648F3D87533675BE185C081321B413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051302Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.810{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=12FEE3E797E0D96668EB8DF5B971BD22,SHA256=C83D82A8191BEA9EE399D413491E0F0560E040AD04C186E5394982378416160E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051301Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.806{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F9EDF60A22012E40B74678DF76CFA5,SHA256=B3CC1F37ACC6D8456AC1EF7DBE23C57D408520912C2476F49249EF0C7662086C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051300Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.805{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9DD2F994FC9C10DD0F6AF1F471571EE6,SHA256=D444C021395FB9F9BF6DADBA3835EB9BBA0BCD26B447AD24BDCAA925B7039FB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051299Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.725{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 23542300x800000000000000051298Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.725{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051297Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.725{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 354300x800000000000000051296Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.719{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51018- 354300x800000000000000051295Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.709{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local49189- 354300x800000000000000051294Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.708{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62633- 354300x800000000000000051293Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.698{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62688- 354300x800000000000000051292Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.698{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60881- 354300x800000000000000051291Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.689{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50768-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000051290Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.684{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50769-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000051289Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.683{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local52194- 354300x800000000000000051288Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.682{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local52242- 354300x800000000000000051287Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.680{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50667- 354300x800000000000000051286Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.667{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59652- 354300x800000000000000051285Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.666{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local49338- 354300x800000000000000051284Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.662{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61791- 23542300x800000000000000027518Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:41.029{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6014149BE86F51835F3BAA9FA06E63A1,SHA256=B710DD57A07FFD8A386FF2352C6FFCDE975860220A98276927EA5DB53A7A31FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051283Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.442{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\pending_pings\d26fdd04-7c52-44a0-824c-e94455d9123bMD5=82DF2C0F2D5773C7EC1A2B51C999D2EC,SHA256=C56458B48D5DD76FB8123B1A8C71D27E78B92C8C0D7C51FECEE41A56A9139560,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051282Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.442{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\D39C33CB6CA0CD427BBD70F6386ADFB6973F4A982021-09-14 09:02:41.442 354300x800000000000000051281Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.452{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50765-false143.204.207.111server-143-204-207-111.fra53.r.cloudfront.net443https 354300x800000000000000051280Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.448{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62451- 354300x800000000000000051279Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.429{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61502- 354300x800000000000000051278Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.368{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51289- 354300x800000000000000051277Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.367{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51492- 354300x800000000000000051276Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.367{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50764-false2.22.117.227a2-22-117-227.deploy.static.akamaitechnologies.com80http 354300x800000000000000051275Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.366{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62456- 354300x800000000000000051274Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.256{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50763-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000051273Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.254{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59994- 354300x800000000000000051272Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.249{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51899- 354300x800000000000000051271Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.217{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50762-false10.0.1.12-8000- 354300x800000000000000051270Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.141{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50761-false13.32.22.105server-13-32-22-105.fra56.r.cloudfront.net443https 354300x800000000000000051269Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.141{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61391- 354300x800000000000000051268Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.140{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58068- 10341000x800000000000000051267Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.326{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051266Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.326{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051265Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.326{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051264Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.326{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051263Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.288{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051262Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.288{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051261Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.288{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051260Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.288{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051259Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.288{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051258Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.288{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051257Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.173{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B01B34D3C032C8881ECEEEC2395932EE,SHA256=81CF818C4626DD5AC9B89263F3520AE0D82E3649CCF1369B61089B2CA72F6793,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051256Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.138{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50760-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x800000000000000051255Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.131{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58818- 354300x800000000000000051254Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.070{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50759-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x800000000000000051253Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.048{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-158.attackrange.local53114-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000051252Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.048{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51145- 354300x800000000000000051251Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.048{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51145-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domain 23542300x800000000000000051250Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.110{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EA84073301D858CDA479172DCA254970,SHA256=D11AB6BC29E48D425E324EF7D652C920F491DB37E44D4C68B3872665E6B451A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051249Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.110{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\search.json.mozlz42021-09-14 08:47:15.593 23542300x800000000000000051248Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.110{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\search.json.mozlz4MD5=A52BFA33969CB66228B092D500B22119,SHA256=893ECCBDB36D3F5C88D87AEBCDFF8EC498225996ADB00EFF1C0F3A4E5EB49EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051247Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.057{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EA84073301D858CDA479172DCA254970,SHA256=D11AB6BC29E48D425E324EF7D652C920F491DB37E44D4C68B3872665E6B451A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051246Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.042{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=16F261025A00439C8ACAB3FCFD71F26F,SHA256=C990A99CFCEA3E4C59CC4AB92049D3C808B24A387C39B7CECF992E2A02150F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051245Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.026{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A45F414BFC09E5D7284BC6556540540,SHA256=783B1C36FE2BC5AF530205D57FD85DFDBF6563895220572A228BA9677646F49B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051244Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.026{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 23542300x800000000000000051243Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.026{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051242Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.026{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 10341000x800000000000000051241Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.009{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051240Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.009{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6709-00000000F001}5336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051239Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.009{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+1670a5c|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051362Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.989{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB4029C34918B8B02D579918FFD9CEB,SHA256=7E585CFA3A3EC9D63E4CD6065C2B03F680D4AB5276BE6AAED7890CE7A57C1937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051361Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.989{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA7E046119FD5DD6E61746F6DD54454B,SHA256=E181E9001014E26EFB18344D7200F136F20A73318A9C5DAE748B2C0CDD6D70B1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000051360Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.275{C8F4C507-652D-6140-6409-00000000F001}5648e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051359Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.275{C8F4C507-652D-6140-6409-00000000F001}5648e11847.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051358Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.274{C8F4C507-652D-6140-6409-00000000F001}5648e15317.a.akamaiedge.net0104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051357Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.274{C8F4C507-652D-6140-6409-00000000F001}5648www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:104.75.90.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051356Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.273{C8F4C507-652D-6140-6409-00000000F001}5648e11847.g.akamaiedge.net095.100.210.81;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051355Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.273{C8F4C507-652D-6140-6409-00000000F001}5648reddit.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051354Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.273{C8F4C507-652D-6140-6409-00000000F001}5648www.ebay.de0type: 5 slot11847.ebay.com.edgekey.net;type: 5 e11847.g.akamaiedge.net;::ffff:95.100.210.81;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051353Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.272{C8F4C507-652D-6140-6409-00000000F001}5648reddit.map.fastly.net0151.101.13.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051352Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.272{C8F4C507-652D-6140-6409-00000000F001}5648www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:151.101.13.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051351Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.271{C8F4C507-652D-6140-6409-00000000F001}5648youtube-ui.l.google.com02a00:1450:4001:82a::200e;2a00:1450:4001:82b::200e;2a00:1450:4001:830::200e;2a00:1450:4001:829::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051350Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.271{C8F4C507-652D-6140-6409-00000000F001}5648dyna.wikimedia.org02620:0:862:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051349Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.270{C8F4C507-652D-6140-6409-00000000F001}5648star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051348Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.270{C8F4C507-652D-6140-6409-00000000F001}5648youtube-ui.l.google.com0142.250.181.238;172.217.16.142;216.58.212.174;142.250.74.206;142.250.186.46;142.250.186.78;142.250.184.206;142.250.184.238;172.217.18.110;216.58.212.142;142.250.185.78;142.250.185.110;142.250.185.142;142.250.185.174;142.250.185.206;142.250.185.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051347Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.270{C8F4C507-652D-6140-6409-00000000F001}5648dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051346Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.269{C8F4C507-652D-6140-6409-00000000F001}5648star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051345Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.269{C8F4C507-652D-6140-6409-00000000F001}5648www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:91.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051344Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.269{C8F4C507-652D-6140-6409-00000000F001}5648www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.185.238;::ffff:142.250.181.238;::ffff:172.217.16.142;::ffff:216.58.212.174;::ffff:142.250.74.206;::ffff:142.250.186.46;::ffff:142.250.186.78;::ffff:142.250.184.206;::ffff:142.250.184.238;::ffff:172.217.18.110;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.185.174;::ffff:142.250.185.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051343Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.269{C8F4C507-652D-6140-6409-00000000F001}5648www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051342Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:40.863{C8F4C507-652D-6140-6409-00000000F001}5648cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000027520Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:39.646{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027519Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:42.029{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369726D384784757FD9313475BB46566,SHA256=92ED6187B1D80283CD9C7060E6E97F5C331AAE00A9BB8AC7B9CA979B7FC75C08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051341Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.122{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50773-false34.208.57.189ec2-34-208-57-189.us-west-2.compute.amazonaws.com443https 10341000x800000000000000051340Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.273{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051339Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.273{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051338Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.273{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051337Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.273{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051336Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.257{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051335Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.257{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051334Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.257{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051333Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.257{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051332Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.257{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051331Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.206{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\addonStartup.json.lz4.tmp2021-09-14 09:02:42.206 734700x800000000000000051330Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.156{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000051329Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.156{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000051328Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.141{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000051327Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.141{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 10341000x800000000000000051326Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.141{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6531-6140-6909-00000000F001}1752C:\Windows\SysWOW64\systeminfo.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051325Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.009{C8F4C507-4938-6140-1600-00000000F001}1324960C:\Windows\system32\svchost.exe{C8F4C507-6531-6140-6A09-00000000F001}6608C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051324Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:42.009{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6531-6140-6A09-00000000F001}6608C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027521Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:43.076{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ADE30F796CDD14509831E107FA299E,SHA256=D33934B31D02145A36600AD9BB53AAF17DF9EB08C20166581FDA399B34902873,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051450Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.953{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6533-6140-6D09-00000000F001}4492C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051449Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.944{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051448Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.944{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051447Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.944{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051446Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.944{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051445Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.944{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6533-6140-6D09-00000000F001}4492C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051444Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.940{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6533-6140-6D09-00000000F001}4492C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051443Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.940{C8F4C507-6533-6140-6D09-00000000F001}4492C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{C8F4C507-4937-6140-0C00-00000000F001}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000051442Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.920{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6533-6140-6C09-00000000F001}7088C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051441Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.893{C8F4C507-4936-6140-0A00-00000000F001}6242020C:\Windows\system32\services.exe{C8F4C507-6533-6140-6C09-00000000F001}7088C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051440Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.880{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051439Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.880{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051438Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.880{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051437Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.880{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051436Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.880{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6533-6140-6C09-00000000F001}7088C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051435Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.880{C8F4C507-4936-6140-0A00-00000000F001}6241320C:\Windows\system32\services.exe{C8F4C507-6533-6140-6C09-00000000F001}7088C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051434Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.879{C8F4C507-6533-6140-6C09-00000000F001}7088C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000051433Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.877{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051432Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.877{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051431Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.872{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051430Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.872{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051429Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.793{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051428Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.784{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051427Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.784{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000051426Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.709{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\SysWOW64\wbem\WmiPrvSE.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 10341000x800000000000000051425Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.705{C8F4C507-4938-6140-1600-00000000F001}13244504C:\Windows\system32\svchost.exe{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\sysWOW64\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000051424Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.698{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\SysWOW64\wbem\WmiPrvSE.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000051423Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.692{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\SysWOW64\wbem\WmiPrvSE.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 10341000x800000000000000051422Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.688{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000051421Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.663{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\SysWOW64\wbem\WmiPrvSE.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000051420Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.661{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\SysWOW64\wbem\WmiPrvSE.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 10341000x800000000000000051419Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.652{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051418Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.649{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051417Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.649{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051416Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.649{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051415Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.648{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051414Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.647{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051413Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.632{C8F4C507-6533-6140-6B09-00000000F001}6760C:\Windows\SysWOW64\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{C8F4C507-4938-6140-E503-000000000000}0x3e50SystemMD5=F94C2242DE208AA0CD1A64187165B448,SHA256=0EF0BB79047494273B2F8B44F1080A1458DEF6DB2828AE517380D59CB29D7291,IMPHASH=DD443828EFFA4923A7206DB96293A619{C8F4C507-4937-6140-0C00-00000000F001}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000051412Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.624{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051411Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.621{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051410Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.621{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051409Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.573{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+fdc990|C:\Program Files\Mozilla Firefox\xul.dll+fcd08b|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f 10341000x800000000000000051408Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.573{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000051407Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.559{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+38ea3ac|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c 10341000x800000000000000051406Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.559{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+38ea3ac|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c 10341000x800000000000000051405Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.557{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+38ea3ac|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c 11241100x800000000000000051404Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.547{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 23542300x800000000000000051403Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.546{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051402Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.545{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 10341000x800000000000000051401Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.544{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b5f85d|C:\Program Files\Mozilla Firefox\xul.dll+b6020d|C:\Program Files\Mozilla Firefox\xul.dll+b7502d|C:\Program Files\Mozilla Firefox\xul.dll+fd7543|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e 23542300x800000000000000051400Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.459{C8F4C507-6528-6140-6009-00000000F001}4400NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\keyboard.PNFMD5=9F5F494D7E1C38EB2886453B3213F068,SHA256=E5FF90E5E239BCBF28DF02471FE793CE0E5390D43A053C95AF348B898325E075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051399Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.411{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000051398Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.409{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000051397Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.408{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000051396Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.408{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000051395Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.408{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x800000000000000051394Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.408{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x800000000000000051393Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.408{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+27c138b|C:\Program Files\Mozilla Firefox\xul.dll+27b4476|C:\Program Files\Mozilla Firefox\xul.dll+bfe10a|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32 10341000x800000000000000051392Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.406{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x800000000000000051391Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.406{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59bc2|C:\Program Files\Mozilla Firefox\xul.dll+b73a63|C:\Program Files\Mozilla Firefox\xul.dll+b736f4|C:\Program Files\Mozilla Firefox\xul.dll+b73f2c|C:\Program Files\Mozilla Firefox\xul.dll+f73c12|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0|C:\Program Files\Mozilla Firefox\xul.dll+f0ba15|C:\Program Files\Mozilla Firefox\xul.dll+f0b5a4|C:\Program Files\Mozilla Firefox\xul.dll+f0b049 10341000x800000000000000051390Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.375{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051389Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.375{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051388Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.375{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051387Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.375{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051386Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.375{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051385Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.375{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051384Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.375{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051383Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.310{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 354300x800000000000000051382Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.390{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50585- 354300x800000000000000051381Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.390{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50134- 354300x800000000000000051380Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.390{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58104- 354300x800000000000000051379Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.388{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59423- 354300x800000000000000051378Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.388{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59452- 354300x800000000000000051377Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.388{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local65483- 354300x800000000000000051376Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.387{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local63092- 354300x800000000000000051375Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.386{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50146- 354300x800000000000000051374Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.386{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61112- 354300x800000000000000051373Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.386{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61123- 354300x800000000000000051372Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.386{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61239- 354300x800000000000000051371Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.386{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62143- 354300x800000000000000051370Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.385{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59513- 354300x800000000000000051369Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.384{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50436- 354300x800000000000000051368Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.384{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62515- 354300x800000000000000051367Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.291{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51838- 354300x800000000000000051366Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.291{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local62383- 354300x800000000000000051365Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:41.290{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61077- 11241100x800000000000000051364Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.012{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionstore-backups\upgrade.jsonlz4-202109032355342021-09-14 09:02:43.012 11241100x800000000000000051363Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.012{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionstore-backups\recovery.jsonlz4.tmp2021-09-14 09:02:43.012 23542300x800000000000000027522Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:44.247{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039AC9B17B7C719ECDB5129322C83772,SHA256=971BBCAD17AB60061B369791E21EA44DB1BA40FDA571B1524E601559D3768ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051465Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:44.933{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8EAEAC0A84370666B392F007DAA05515,SHA256=F4EADF5C3C9F104524822711B42EBFE85F2B4497B50A8518D853B4F53EC8EE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051464Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:44.932{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ECC9001ECF6DA07884D2B109CA0ADF02,SHA256=B612094E437AA2DB6FDBB87FA301846B28405C44A2826CCD0B6422A2879BD55D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051463Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.670{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local63999- 354300x800000000000000051462Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.670{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50775-false142.250.185.67fra16s48-in-f3.1e100.net80http 354300x800000000000000051461Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.664{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59514- 354300x800000000000000051460Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.617{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51893- 354300x800000000000000051459Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.616{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51646- 354300x800000000000000051458Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.614{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local51943-false142.250.186.36fra24s04-in-f4.1e100.net443https 354300x800000000000000051457Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.610{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51942- 23542300x800000000000000051456Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:44.638{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09A8FBFF3C4592EA0D1AE68EACA54E83,SHA256=9DF5E03DC0FCE69418457816EBF12F64C1734AF68D6328B754FDC9480CF49453,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051455Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.411{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50641- 354300x800000000000000051454Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.408{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59177- 23542300x800000000000000051453Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:44.116{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B403E4D6EBAC9F8465EE2E2CD85DB21,SHA256=5020558956D00BAA7FA98DA16F02A23D41B2D6EDE616797D8EED595F97875A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051452Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:44.068{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9EA514A99E77CB71CAFBE0C42BF701,SHA256=04016989326971AA40FAFBB2E4EABBF3FB69CD6905A02B55CD3B56CF5688AD91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051451Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:44.054{C8F4C507-6533-6140-6D09-00000000F001}44924948C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{C8F4C507-6533-6140-6C09-00000000F001}7088C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x800000000000000027524Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:45.865{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-105MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027523Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:45.268{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483DFEA9B3B3774A5BD30460E14688A5,SHA256=084C52F013C6042D25D2091829CFE7190143BB8229660E882BD1CEC2EE04CC2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051474Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.980{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\formhistory.sqlite-journal2021-09-14 09:02:45.980 22542200x800000000000000051473Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.504{C8F4C507-652D-6140-6409-00000000F001}5648www.google.com02a00:1450:4001:827::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051472Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.500{C8F4C507-652D-6140-6409-00000000F001}5648www.google.com0142.250.186.36;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051471Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:43.496{C8F4C507-652D-6140-6409-00000000F001}5648www.google.com0::ffff:142.250.186.36;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051470Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.242{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+f73b88|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 23542300x800000000000000051469Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.138{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\doomed\5940MD5=C07102A3A67E7ED2DE530F42FCBE571C,SHA256=98670A213D176340E6FDA4D35A7145E63E830357F86D986BF05ED325BF613B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051468Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.137{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\doomed\6164MD5=2E5AED434294D38071F8A6CDC3A70B9C,SHA256=84E09016EA036A1D5AA9C67754D851FF77DA608BC6013A78F355C587E9E4002A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051467Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.136{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\doomed\2438MD5=60CAADEFBAFE969A8D68446376C81C25,SHA256=79C7E7A5F46709A456A38BF7D44D4505D20F2CF1EEA4B5A9537DF838D67F7961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051466Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.066{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9E75453439A7D84C9673B42C1BC7B7,SHA256=DF7068B4535CAD4A421C66CE37A5DE306FF33CB1C7710E12FD9EC5FB9256FDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027526Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:46.868{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027525Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:46.273{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEA91F4B5FD0FD77D81123A189749AE,SHA256=29EB1581FDAB10CD41C9083ABCF431E3B8556ABA298C4010DE7BCB7370CE52F6,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000051525Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.992{C8F4C507-652D-6140-6409-00000000F001}5648gstaticadssl.l.google.com02a00:1450:4001:801::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051524Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.988{C8F4C507-652D-6140-6409-00000000F001}5648www-google-analytics.l.google.com0172.217.23.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051523Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.988{C8F4C507-652D-6140-6409-00000000F001}5648gstaticadssl.l.google.com0142.250.186.131;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051522Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.975{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x800000000000000051521Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.946{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051520Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.933{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x800000000000000051519Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.932{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x800000000000000051518Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.901{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051517Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.901{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051516Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.900{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051515Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.895{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051514Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.895{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051513Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.864{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\B4360309C721BD332442C137318108EA7B18022D2021-09-14 09:02:46.864 11241100x800000000000000051512Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.857{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\F13E37B472A3DAF7B947E10BED13F7C28734E02F2021-09-14 09:02:46.857 10341000x800000000000000051511Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.851{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051510Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.851{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051509Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.850{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051508Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.849{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051507Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.844{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051506Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.843{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051505Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.828{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051504Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.824{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051503Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.823{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051502Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.823{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051501Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.812{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051500Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.810{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051499Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.810{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051498Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.809{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051497Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.808{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000051496Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:44.324{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51727- 354300x800000000000000051495Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:44.324{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59374- 10341000x800000000000000051494Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.217{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051493Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.213{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000051492Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.213{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000051491Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.212{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 10341000x800000000000000051490Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.199{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051489Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.199{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051488Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.195{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051487Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.186{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051486Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.160{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051485Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.158{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-shm2021-09-14 09:02:46.158 11241100x800000000000000051484Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.158{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-wal2021-09-14 09:02:46.158 23542300x800000000000000051483Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.158{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage.sqlite-journalMD5=695AF489BC775B3D2EF84EDB42AC0D47,SHA256=FF720D21EA0DB4B6ED36F44B71F9CE409C802E2A5F3A4CD677AE113A54F78FD9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051482Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.142{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage.sqlite-journal2021-09-14 09:02:46.142 23542300x800000000000000051481Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.118{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\protections.sqlite-journalMD5=81BB92A0DF439A53FACB98256FF5C45E,SHA256=73D8679B26F0BD6FCE5A15A8252CF0F431585B7EDDBE09EE93F756BE2CBE11C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051480Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.106{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\protections.sqlite-journal2021-09-14 09:02:46.104 23542300x800000000000000051479Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.089{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7C399AB7322D7A8082416C209DB4EF,SHA256=0B194CE715F18BECE247E7C5366C6A64BBEC911E428E7DD0D6687B9209156324,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051478Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.088{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e4901f|C:\Program Files\Mozilla Firefox\xul.dll+e3814d|C:\Program Files\Mozilla Firefox\xul.dll+403a1c3|C:\Program Files\Mozilla Firefox\xul.dll+229b601|C:\Program Files\Mozilla Firefox\xul.dll+9df490|C:\Program Files\Mozilla Firefox\xul.dll+9a4d81|C:\Program Files\Mozilla Firefox\xul.dll+19dccd|C:\Program Files\Mozilla Firefox\xul.dll+9e2597|C:\Program Files\Mozilla Firefox\xul.dll+9ad29d|C:\Program Files\Mozilla Firefox\xul.dll+9aff51|C:\Program Files\Mozilla Firefox\xul.dll+9aed7e|C:\Program Files\Mozilla Firefox\xul.dll+9ae0de|C:\Program Files\Mozilla Firefox\xul.dll+9b7f1b|C:\Program Files\Mozilla Firefox\xul.dll+900933|C:\Program Files\Mozilla Firefox\xul.dll+89f837|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f 10341000x800000000000000051477Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.022{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+fdc990|C:\Program Files\Mozilla Firefox\xul.dll+fcd08b|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd13be|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd0c4c|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd13be|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4 23542300x800000000000000051476Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.013{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\formhistory.sqlite-journalMD5=FA7031D314DE4B6CE7176346003853F1,SHA256=23213F74E41E096376EB9D68874B7E2DCDD65BFBAF37A71F321FBDD605AB072F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051475Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.994{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0bba0 23542300x800000000000000027527Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:47.287{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F983955D54B9C93960016E5AEB83589,SHA256=1DFF6010652A9881BD1EC5DD7DBFFC9ABF15FABE018A674B5EF967582ED88441,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000051617Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.398{C8F4C507-652D-6140-6409-00000000F001}5648plus.l.google.com02a00:1450:4001:828::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051616Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.397{C8F4C507-652D-6140-6409-00000000F001}5648plus.l.google.com0216.58.212.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051615Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.396{C8F4C507-652D-6140-6409-00000000F001}5648apis.google.com0type: 5 plus.l.google.com;::ffff:216.58.212.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051614Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.833{C8F4C507-652D-6140-6409-00000000F001}5648id.google.com02a00:1450:400e:803::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051613Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.820{C8F4C507-652D-6140-6409-00000000F001}5648id.google.com0142.250.185.131;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051612Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.819{C8F4C507-652D-6140-6409-00000000F001}5648id.google.com0::ffff:142.250.185.131;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000051611Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:45.993{C8F4C507-652D-6140-6409-00000000F001}5648www-google-analytics.l.google.com02a00:1450:4001:811::200e;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000051610Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.937{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64187- 354300x800000000000000051609Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.937{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local58075-false142.250.185.131fra16s50-in-f3.1e100.net443https 354300x800000000000000051608Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.882{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local58074-false142.250.181.227fra16s56-in-f3.1e100.net443https 11241100x800000000000000051607Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.952{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\CD2E1F036D653E7E1163C5F4125EC96D00EDDF482021-09-14 09:02:47.952 11241100x800000000000000051606Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.927{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\FF2FA89B878649BDA1EC5AAD88FB10964F4687B22021-09-14 09:02:47.927 10341000x800000000000000051605Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.923{C8F4C507-6537-6140-6F09-00000000F001}60966616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051604Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.863{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\4ACF0D0600401DE539BB5F35DD7841A4688E58062021-09-14 09:02:47.862 11241100x800000000000000051603Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.768{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\5713FF2BC15C6EB24969104114B2FCB08F5058C42021-09-14 09:02:47.768 11241100x800000000000000051602Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.619{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\EB1ED1FCB3B18CC8CED2D96779BC23CAA0A84E072021-09-14 09:02:47.619 734700x800000000000000051601Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.602{C8F4C507-6537-6140-6F09-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000051600Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.597{C8F4C507-6537-6140-6F09-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 11241100x800000000000000051599Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.594{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\26309658A791E7BF583FE8CF2581825F3B5B30A42021-09-14 09:02:47.593 11241100x800000000000000051598Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.580{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\55B9F3419E7F46DAD3D353DB5C1DFD09B2A18A912021-09-14 09:02:47.580 10341000x800000000000000051597Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.565{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6537-6140-6F09-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051596Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.562{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051595Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.562{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051594Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.562{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051593Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.562{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051592Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.561{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6537-6140-6F09-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051591Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.561{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6537-6140-6F09-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051590Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.560{C8F4C507-6537-6140-6F09-00000000F001}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000051589Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.498{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\83C9127606B7645811897A74426F04EF6750D8E72021-09-14 09:02:47.498 11241100x800000000000000051588Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.485{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\EA6196FC6ED61ACAA50F17B8A7CFA2716EB3CBB72021-09-14 09:02:47.485 10341000x800000000000000051587Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.481{C8F4C507-652D-6140-6409-00000000F001}56486180C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a02441|C:\Program Files\Mozilla Firefox\xul.dll+a63798|C:\Program Files\Mozilla Firefox\xul.dll+ce8b1|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+173c649|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26cc2|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051586Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.464{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\D619299F8BA78CB19F657D0EFBBF20C2198FA0552021-09-14 09:02:47.464 10341000x800000000000000051585Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.461{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051584Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.460{C8F4C507-4938-6140-1100-00000000F001}4081580C:\Windows\system32\svchost.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051583Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.451{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051582Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.451{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051581Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.430{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a09d17|C:\Program Files\Mozilla Firefox\xul.dll+a52a99|C:\Program Files\Mozilla Firefox\xul.dll+e415b8|C:\Program Files\Mozilla Firefox\xul.dll+19d7315|C:\Program Files\Mozilla Firefox\xul.dll+19cb8d2|C:\Program Files\Mozilla Firefox\xul.dll+19a2909|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000051580Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:47.430{C8F4C507-652D-6140-6409-00000000F001}5648\cubeb-pipe-5648-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000051579Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:47.430{C8F4C507-652D-6140-6409-00000000F001}5648\cubeb-pipe-5648-3C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051578Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.419{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051577Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.416{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000051576Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:47.416{C8F4C507-652F-6140-6509-00000000F001}6596\chrome.5648.8.163562729C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051575Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.416{C8F4C507-652D-6140-6409-00000000F001}56485252C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000051574Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:47.416{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.8.163562729C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000051573Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:47.414{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.7.22984914C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000051572Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.412{C8F4C507-652D-6140-6409-00000000F001}56486416C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000051571Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-ConnectPipe2021-09-14 09:02:47.410{C8F4C507-652D-6140-6409-00000000F001}5648\gecko-crash-server-pipe.5648C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000051570Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.336{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\746AA6E8644DBA19FAABF87273F6F71A5B6647212021-09-14 09:02:47.332 10341000x800000000000000051569Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.332{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051568Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.330{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051567Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.330{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051566Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.325{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\D9676D2D5AB5B17CBB917B66CE70D197C9B91BA32021-09-14 09:02:47.324 11241100x800000000000000051565Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.324{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\E0ABF9E17440B7E83395D25A4947A0AFCCF605C62021-09-14 09:02:47.324 23542300x800000000000000051564Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.246{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83171EE0D85CCCE307272233A2CD9A9,SHA256=27AF13CB1CE25EDF5B80244D0CD9F686328BC6A0E8EAD35F6CC2408A18EF086E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051563Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.309{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local58069-false142.250.186.131-443https 354300x800000000000000051562Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.202{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50776-false10.0.1.12-8000- 354300x800000000000000051561Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.105{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50640- 354300x800000000000000051560Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.105{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local63829- 354300x800000000000000051559Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.104{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60726- 23542300x800000000000000051558Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.228{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A5ECF9B64983478573C74C2150254A,SHA256=E2BDAE7DBB1D7B1F795E6D3A1C6A813882A16672D917D2702C7B549EE0D5031F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051557Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.104{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local61641- 354300x800000000000000051556Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.101{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local49905- 354300x800000000000000051555Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.101{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50952- 354300x800000000000000051554Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:46.096{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58074- 11241100x800000000000000051553Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.173{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\entries\B4B284E8607AB5BC4C486B77A3658F8E81515AE12021-09-14 09:02:47.172 10341000x800000000000000051552Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.109{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3a3a2|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051551Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.109{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a462d8|C:\Program Files\Mozilla Firefox\xul.dll+a46044|C:\Program Files\Mozilla Firefox\xul.dll+ac028e|C:\Program Files\Mozilla Firefox\xul.dll+e3a352|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98 10341000x800000000000000051550Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.109{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051549Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.109{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051548Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.109{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051547Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.109{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051546Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.109{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051545Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.109{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051544Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.109{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051543Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.108{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051542Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.108{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051541Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.108{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051540Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.108{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051539Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.108{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051538Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.108{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a51b9d|C:\Program Files\Mozilla Firefox\xul.dll+a4719a|C:\Program Files\Mozilla Firefox\xul.dll+a47054|C:\Program Files\Mozilla Firefox\xul.dll+8e8a8e|C:\Program Files\Mozilla Firefox\xul.dll+e3a0b0|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d 10341000x800000000000000051537Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.108{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+e3a04c|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000051536Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.108{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+e39fc3|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051535Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.107{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+c1485|C:\Program Files\Mozilla Firefox\xul.dll+e39c9a|C:\Program Files\Mozilla Firefox\xul.dll+361d744|C:\Program Files\Mozilla Firefox\xul.dll+361d6b0|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+16702fb|C:\Program Files\Mozilla Firefox\xul.dll+19ccbe6|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051534Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.107{C8F4C507-652D-6140-6409-00000000F001}56485252C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051533Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.100{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051532Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.100{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051531Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.100{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051530Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.100{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051529Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.100{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051528Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.099{C8F4C507-652D-6140-6409-00000000F001}56485000C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051527Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.100{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5648.7.229849145\916228677" -childID 4 -isForBrowser -prefsHandle 4520 -prefMapHandle 4516 -prefsLen 6854 -prefMapSize 244146 -jsInit 1180 285716 -parentBuildID 20210903235534 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5648 "\\.\pipe\gecko-crash-server-pipe.5648" 4532 28ac8311738 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x800000000000000051526Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:47.089{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.7.22984914C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000027529Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:45.686{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027528Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:48.290{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5F0469ED562DF18EB0688B9D3F932D,SHA256=222E57F9C45E54FE62701B89E8E7A4C3B9ED9765B8CC941BC2DF0EAC2316516B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000051689Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.632{C8F4C507-652D-6140-6409-00000000F001}5648adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:142.250.186.66;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000051688Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.924{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50778-false142.250.181.226fra16s56-in-f2.1e100.net443https 354300x800000000000000051687Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.858{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50777-false142.250.185.67fra16s48-in-f3.1e100.net80http 23542300x800000000000000051686Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.947{C8F4C507-6527-6140-5F09-00000000F001}6068ATTACKRANGE\AdministratorC:\Temp\fin7_jssloader.exeC:\Users\Administrator\AppData\Local\Temp\5t2abgvq.epoMD5=3CE4DE71187FC36F4F7686A6BE1BCCFE,SHA256=022F36DCBF8E0D06A4CF758D1488E0CC55A8D11718E20889ABE30714DE792453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051685Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.943{C8F4C507-6527-6140-5F09-00000000F001}6068ATTACKRANGE\AdministratorC:\Temp\fin7_jssloader.exeC:\Users\Administrator\AppData\Local\Temp\dcknghou.em3MD5=192F8DDA7BE30EFAFD213941725C9EE9,SHA256=8412645479748D4AC2B51684DD9AF3AED8876C4ED3B832B1F204D53754B00C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051684Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.898{C8F4C507-6527-6140-5F09-00000000F001}6068ATTACKRANGE\AdministratorC:\Temp\fin7_jssloader.exeC:\Users\Administrator\AppData\Local\Temp\dcknghou.em3-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000051683Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.819{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Temp\SQLite.Interop.dll1.0.112.0System.Data.SQLite Interop AssemblySystem.Data.SQLiteRobert Simpson, et al.SQLite.Interop.dllMD5=14C3254ED4A05F508BC82A1A27A1739C,SHA256=DD74AA2286FF5BF08F14F1705AC1848C6B7D74E7F8013E22DAF97B242CB67FA7,IMPHASH=AE94E7E35747470C61BF70E22CCD5D26false-Unavailable 734700x800000000000000051682Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.779{C8F4C507-6538-6140-7309-00000000F001}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000051681Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.778{C8F4C507-6538-6140-7309-00000000F001}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000051680Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.775{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6538-6140-7309-00000000F001}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051679Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.744{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051678Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.744{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051677Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.744{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051676Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.744{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051675Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.744{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6538-6140-7309-00000000F001}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051674Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.743{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6538-6140-7309-00000000F001}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051673Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.742{C8F4C507-6538-6140-7309-00000000F001}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000051672Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.751{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64350- 354300x800000000000000051671Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.750{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64122- 354300x800000000000000051670Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.750{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local58748- 354300x800000000000000051669Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.749{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60466- 354300x800000000000000051668Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.747{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64022- 354300x800000000000000051667Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.746{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51710- 354300x800000000000000051666Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.672{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local50188-false142.250.181.226fra16s56-in-f2.1e100.net443https 354300x800000000000000051665Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.672{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51698- 354300x800000000000000051664Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.671{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local51826- 354300x800000000000000051663Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.669{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50187- 11241100x800000000000000051662Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.localDLL2021-09-14 09:02:48.640{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Temp\SQLite.Interop.dll2021-09-14 09:02:48.639 734700x800000000000000051661Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.576{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=31B320D99570E7D6FFE82CED32FD3863,SHA256=66782B6B23A96A8CA8D1B6EEACA4296683B90DB006015D00DBC4E3B8D51B5995,IMPHASH=5CB0004DB7090241A0C06F1853D02144trueMicrosoft WindowsValid 354300x800000000000000051660Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.513{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local59262- 354300x800000000000000051659Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.513{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-158.attackrange.local64596-false216.58.212.142ams15s21-in-f142.1e100.net443https 354300x800000000000000051658Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.510{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local64595- 354300x800000000000000051657Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:47.344{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60573- 10341000x800000000000000051656Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.374{C8F4C507-4938-6140-1600-00000000F001}1324960C:\Windows\system32\svchost.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051655Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.374{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051654Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.341{C8F4C507-4938-6140-1600-00000000F001}1324960C:\Windows\system32\svchost.exe{C8F4C507-6538-6140-7209-00000000F001}6600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051653Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.340{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6538-6140-7209-00000000F001}6600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051652Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.338{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEF2505B09261DBF5986BA0379AD790,SHA256=803CEF3970343C78E9E45B3532052D30BBD57AA6EE6BEB7E442CB2039612D3F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051651Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.335{C8F4C507-6538-6140-7209-00000000F001}66005468C:\Windows\system32\conhost.exe{C8F4C507-6538-6140-7109-00000000F001}896C:\Windows\SysWOW64\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051650Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.328{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-6538-6140-7209-00000000F001}6600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051649Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.326{C8F4C507-4938-6140-1200-00000000F001}6201312C:\Windows\System32\svchost.exe{C8F4C507-6538-6140-7209-00000000F001}6600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051648Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.322{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051647Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.322{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051646Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.321{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051645Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.321{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051644Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.321{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6538-6140-7109-00000000F001}896C:\Windows\SysWOW64\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051643Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.321{C8F4C507-6527-6140-5F09-00000000F001}606832C:\Temp\fin7_jssloader.exe{C8F4C507-6538-6140-7109-00000000F001}896C:\Windows\SysWOW64\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll+23cbb2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll+1aaaa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll+1aa39c(wow64)|UNKNOWN(0000000001806C94)|UNKNOWN(0000000001805A77)|UNKNOWN(0000000001805599)|UNKNOWN(0000000001800A59)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1230a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+185eb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1bb28b(wow64) 154100x800000000000000051642Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.320{C8F4C507-6538-6140-7109-00000000F001}896C:\Windows\SysWOW64\ipconfig.exe10.0.14393.0 (rs1_release.160715-1616)IP Configuration UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationipconfig.exe"C:\Windows\System32\ipconfig.exe" /allC:\Temp\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=D99377A3CC218A71E27DFA4C6C4892A4,SHA256=5F2FF9DFA80DCBAE0301500B50F5BB10DDA257BE9C061B3CFCC9BA3C1FBC8891,IMPHASH=9CB4975E5FC345BA48C788102C18C1A6{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe"C:\Temp\fin7_jssloader.exe" 10341000x800000000000000051641Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.320{C8F4C507-4938-6140-1200-00000000F001}6201312C:\Windows\System32\svchost.exe{C8F4C507-6538-6140-7109-00000000F001}896C:\Windows\SysWOW64\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051640Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.297{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051639Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.297{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051638Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.296{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051637Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.296{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051636Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.295{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051635Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.295{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051634Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.295{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051633Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.294{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051632Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.294{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6528-6140-6009-00000000F001}4400C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051631Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.269{C8F4C507-6528-6140-6009-00000000F001}4400NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\oem7.PNFMD5=3680B792E12057136D823CB0C3E51332,SHA256=AC044961C84264E2488D01C7F73798D3132586C740A29223338B58291B55EEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051630Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.263{C8F4C507-6528-6140-6009-00000000F001}4400NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\nettun.PNFMD5=8C5935319726DEF7D58E0FA47E9D95D9,SHA256=41742A7CFAFF93F1E876ED33377B43FA82BE9B8C76FA0E3714D71D995B140116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051629Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.252{C8F4C507-6528-6140-6009-00000000F001}4400NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\kdnic.PNFMD5=5A9ED63443DADAA9F78B016A4D140782,SHA256=42F6E997F0137AB6916F1FCD256449FFC8509F192A2B2B849650232049131457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051628Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.107{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28FB42C9841B6B026F36BF2FC99CF53F,SHA256=D85CD43F956D12D518CC5D200E90CEC2D70EC782DC54EE9A94B57776FBDF46E6,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000051627Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.087{C8F4C507-6538-6140-7009-00000000F001}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000051626Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.086{C8F4C507-6538-6140-7009-00000000F001}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000051625Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.083{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6538-6140-7009-00000000F001}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051624Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.082{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051623Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.081{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051622Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.081{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051621Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.081{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051620Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.081{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6538-6140-7009-00000000F001}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051619Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.080{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6538-6140-7009-00000000F001}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051618Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.079{C8F4C507-6538-6140-7009-00000000F001}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027530Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:49.305{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C38C87B37C60926CA6AE22FA588A450,SHA256=8C460B005B9EAFEA9D9753803FB23C2AE52F10A9FA49B835FDCD456083816029,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051740Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.907{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 23542300x800000000000000051739Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.628{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB4FAB55E4910E3D7DA68DA0B3E9DF6,SHA256=0FB28FFEA48F993B56D39BC5C2B63D26A071E0E4D278D226BC98FF58A8EC9109,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051738Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051737Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051736Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051735Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051734Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051733Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051732Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051731Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051730Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051729Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.526{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051728Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.525{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051727Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.525{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051726Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.525{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051725Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.525{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051724Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.525{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051723Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.525{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051722Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.525{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051721Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.525{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051720Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.524{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051719Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.524{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051718Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.524{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051717Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.524{C8F4C507-4938-6140-1600-00000000F001}1324960C:\Windows\system32\svchost.exe{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051716Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.524{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051715Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.523{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051714Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.523{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000051713Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.442{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051712Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.434{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051711Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.433{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051710Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.433{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051709Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.433{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051708Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.433{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051707Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.432{C8F4C507-6539-6140-7409-00000000F001}62086324C:\Windows\System32\svchost.exe{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051706Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.429{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 1812C:\Windows\system32\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB,IMPHASH=CABB1BD9C8861200DB46B24A4934E8E8{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe"C:\Temp\fin7_jssloader.exe" 10341000x800000000000000051705Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.389{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6539-6140-7409-00000000F001}6208C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051704Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.388{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-6539-6140-7409-00000000F001}6208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051703Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.384{C8F4C507-6539-6140-7409-00000000F001}62086324C:\Windows\System32\svchost.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051702Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.384{C8F4C507-6539-6140-7409-00000000F001}62086324C:\Windows\System32\svchost.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051701Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.384{C8F4C507-6539-6140-7409-00000000F001}62086324C:\Windows\System32\svchost.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051700Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.373{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=84919AD4D6F0B6EC69EB0510215B4D03,SHA256=949AADFB2F18FDF673D7DEA250DECBA9B142AE5584B4C6F1589968ED72473FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051699Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.369{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90A76710F25E110A320424BAF3D667C8,SHA256=AB937470E5B06819D6CF7DF5DBF53BD633909DF2327CCCDAEB0DF3791870D0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051698Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.369{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2E3BBB46D4AECDBDD73F4CE83AFFC1,SHA256=A0AAD438AF1F7095AD3E168963E1A943D6A3C89729A6C8C4A45D6812CEA318EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051697Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.368{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0422060AF7BE9F99FFBE1665018FC1DE,SHA256=BED476D08EEADED3D9151AD18CF16AFF7D0F6E055D4C31C791F81953CD9DD0AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051696Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.298{C8F4C507-4936-6140-0A00-00000000F001}6242968C:\Windows\system32\services.exe{C8F4C507-6539-6140-7409-00000000F001}6208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051695Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.268{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6539-6140-7409-00000000F001}6208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051694Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.268{C8F4C507-4936-6140-0A00-00000000F001}6241320C:\Windows\system32\services.exe{C8F4C507-6539-6140-7409-00000000F001}6208C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051693Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.264{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051692Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.264{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051691Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.264{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051690Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.263{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027531Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:50.321{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE88D193A7A9E47E7A2450DEDDCFFC6C,SHA256=07321D464C2D62B78EF361B2677E1B8B1783ABB4B25ED0A279AD49308FA90152,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051912Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.988{C8F4C507-4938-6140-0D00-00000000F001}9046160C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051911Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.988{C8F4C507-4938-6140-0D00-00000000F001}9046160C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051910Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.988{C8F4C507-4938-6140-0D00-00000000F001}9046160C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051909Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.988{C8F4C507-4938-6140-0D00-00000000F001}9046160C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051908Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.988{C8F4C507-4938-6140-0D00-00000000F001}9046160C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051907Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.972{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.bin2021-09-14 08:47:15.839 23542300x800000000000000051906Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.972{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\glean\db\data.safe.binMD5=2D4AE1F290310C12317DA5D77FD3BF14,SHA256=BED84DEEEC04A04AC3CE4DBC057EC13693919CD357A1B77992A97E5C7CA95886,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051905Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.950{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051904Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.934{C8F4C507-4938-6140-1600-00000000F001}1324960C:\Windows\system32\svchost.exe{C8F4C507-653A-6140-7B09-00000000F001}5888C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051903Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.934{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-653A-6140-7B09-00000000F001}5888C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051902Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.934{C8F4C507-4938-6140-1600-00000000F001}1324960C:\Windows\system32\svchost.exe{C8F4C507-653A-6140-7709-00000000F001}2216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051901Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.934{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-653A-6140-7709-00000000F001}2216C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051900Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.934{C8F4C507-4938-6140-1600-00000000F001}1324960C:\Windows\system32\svchost.exe{C8F4C507-653A-6140-7909-00000000F001}6832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051899Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.934{C8F4C507-4938-6140-1600-00000000F001}13241352C:\Windows\system32\svchost.exe{C8F4C507-653A-6140-7909-00000000F001}6832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051898Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.934{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051897Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.934{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\startupCache\scriptCache-child-new.bin2021-09-14 09:02:50.934 10341000x800000000000000051896Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.918{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051895Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.918{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\startupCache\scriptCache-new.bin2021-09-14 09:02:50.918 10341000x800000000000000051894Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.918{C8F4C507-653A-6140-7B09-00000000F001}58885896C:\Windows\system32\conhost.exe{C8F4C507-653A-6140-7A09-00000000F001}5136C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051893Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.918{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\startupCache\urlCache-new.bin2021-09-14 09:02:50.918 23542300x800000000000000051892Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.903{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\aborted-session-pingMD5=6021B2564967CAB0E4FF64F70E92564A,SHA256=354C6B005BDDC79C868147DE8DA6185175DC167EF9A501DE04E1338F14C005C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051891Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.903{C8F4C507-653A-6140-7909-00000000F001}68325576C:\Windows\system32\conhost.exe{C8F4C507-653A-6140-7809-00000000F001}5652C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051890Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.903{C8F4C507-653A-6140-7709-00000000F001}22165908C:\Windows\system32\conhost.exe{C8F4C507-653A-6140-7609-00000000F001}6240C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051889Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.903{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051888Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.903{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051887Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.903{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051886Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.903{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051885Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.903{C8F4C507-5C83-6140-A007-00000000F001}42245620C:\Windows\system32\csrss.exe{C8F4C507-653A-6140-7B09-00000000F001}5888C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051884Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.887{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-653A-6140-7A09-00000000F001}5136C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051883Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.887{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-653A-6140-7A09-00000000F001}5136C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2011fdf|C:\Program Files\Mozilla Firefox\xul.dll+2011df5|C:\Program Files\Mozilla Firefox\xul.dll+2011e41|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+1b99b70|C:\Program Files\Mozilla Firefox\xul.dll+177b3aa|C:\Program Files\Mozilla Firefox\xul.dll+1771b13|C:\Program Files\Mozilla Firefox\xul.dll+19ebdcb|C:\Program Files\Mozilla Firefox\xul.dll+166fbf5|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|UNKNOWN(0000018AB2B3885A) 154100x800000000000000051882Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.896{C8F4C507-653A-6140-7A09-00000000F001}5136C:\Program Files\Mozilla Firefox\pingsender.exe92.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/f745d52e-6e81-483e-a191-0852cb95d3d3/main/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\f745d52e-6e81-483e-a191-0852cb95d3d3C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2MediumMD5=8A5233CE7A88489D05FEF9BB7AE52572,SHA256=0888DF51AA62CAF8E02C97564FF4BDCEDCF8CC0B6091753F7D9D4389689BA825,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 11241100x800000000000000051881Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.887{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\f745d52e-6e81-483e-a191-0852cb95d3d3.tmp2021-09-14 09:02:50.887 11241100x800000000000000051880Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.872{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\archived\2021-09\1631610170874.f745d52e-6e81-483e-a191-0852cb95d3d3.main.jsonlz4.tmp2021-09-14 09:02:50.872 10341000x800000000000000051879Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.872{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-653A-6140-7909-00000000F001}6832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051878Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.869{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051877Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.869{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051876Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.869{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051875Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.868{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051874Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.851{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-653A-6140-7809-00000000F001}5652C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051873Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.851{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-653A-6140-7809-00000000F001}5652C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2011fdf|C:\Program Files\Mozilla Firefox\xul.dll+2011df5|C:\Program Files\Mozilla Firefox\xul.dll+2011e41|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+1b99b70|C:\Program Files\Mozilla Firefox\xul.dll+177b3aa|C:\Program Files\Mozilla Firefox\xul.dll+1771b13|C:\Program Files\Mozilla Firefox\xul.dll+19ebdcb|C:\Program Files\Mozilla Firefox\xul.dll+166fbf5|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|UNKNOWN(0000018AB2B3885A) 10341000x800000000000000051872Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.851{C8F4C507-5C83-6140-A007-00000000F001}4224696C:\Windows\system32\csrss.exe{C8F4C507-653A-6140-7709-00000000F001}2216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000051871Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.862{C8F4C507-653A-6140-7809-00000000F001}5652C:\Program Files\Mozilla Firefox\pingsender.exe92.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/47685faf-f547-4eab-bcf1-e5753fd299fe/health/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\47685faf-f547-4eab-bcf1-e5753fd299feC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2MediumMD5=8A5233CE7A88489D05FEF9BB7AE52572,SHA256=0888DF51AA62CAF8E02C97564FF4BDCEDCF8CC0B6091753F7D9D4389689BA825,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x800000000000000051870Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.851{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8926821FCA271CA50751E449E10C014F,SHA256=1A92A1EAE7257BB624272DFA6A902FA481CBEB6560511DD48FA9EFBDCBEAB191,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051869Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.851{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\47685faf-f547-4eab-bcf1-e5753fd299fe.tmp2021-09-14 09:02:50.851 11241100x800000000000000051868Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.851{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\archived\2021-09\1631610170826.47685faf-f547-4eab-bcf1-e5753fd299fe.health.jsonlz4.tmp2021-09-14 09:02:50.851 10341000x800000000000000051867Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.836{C8F4C507-5C83-6140-A007-00000000F001}42241076C:\Windows\system32\csrss.exe{C8F4C507-653A-6140-7609-00000000F001}6240C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051866Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.836{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051865Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.836{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051864Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.836{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051863Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.836{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051862Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.836{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-653A-6140-7609-00000000F001}6240C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2011fdf|C:\Program Files\Mozilla Firefox\xul.dll+2011df5|C:\Program Files\Mozilla Firefox\xul.dll+2011e41|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+1b99b70|C:\Program Files\Mozilla Firefox\xul.dll+177b3aa|C:\Program Files\Mozilla Firefox\xul.dll+1771b13|C:\Program Files\Mozilla Firefox\xul.dll+19ebdcb|C:\Program Files\Mozilla Firefox\xul.dll+166fbf5|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|UNKNOWN(0000018AB2B3885A) 154100x800000000000000051861Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.846{C8F4C507-653A-6140-7609-00000000F001}6240C:\Program Files\Mozilla Firefox\pingsender.exe92.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/86f086c1-eb79-47c1-9e2d-847b4d00bc2e/event/Firefox/92.0/release/20210903235534?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\86f086c1-eb79-47c1-9e2d-847b4d00bc2eC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8F4C507-5C85-6140-1A54-470000000000}0x47541a2MediumMD5=8A5233CE7A88489D05FEF9BB7AE52572,SHA256=0888DF51AA62CAF8E02C97564FF4BDCEDCF8CC0B6091753F7D9D4389689BA825,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000051860Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.836{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051859Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.836{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\86f086c1-eb79-47c1-9e2d-847b4d00bc2e.tmp2021-09-14 09:02:50.836 11241100x800000000000000051858Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.836{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\archived\2021-09\1631610170824.86f086c1-eb79-47c1-9e2d-847b4d00bc2e.event.jsonlz4.tmp2021-09-14 09:02:50.836 23542300x800000000000000051857Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.805{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\uninstall_ping_308046B0AF4A39CB_2936a8af-8ff0-4681-a3ee-498f3c593a7f.jsonMD5=F9E1EA32A84E51123B389881100077D7,SHA256=30F15A9F280D425622D66BEDFC4E6645C966D6EEE60CA95490712B6756B1BA8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051856Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.773{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\aborted-session-ping.tmp2021-09-14 09:02:50.773 11241100x800000000000000051855Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.750{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\e9664911-2426-4838-906a-2cb3dae22b21.tmp2021-09-14 09:02:50.750 11241100x800000000000000051854Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.750{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\archived\2021-09\1631610170741.e9664911-2426-4838-906a-2cb3dae22b21.health.jsonlz4.tmp2021-09-14 09:02:50.750 23542300x800000000000000051853Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.735{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\session-state.jsonMD5=3E307E601C63CAA7F9A784D662F27B1D,SHA256=31E91AE0F7F0121DFB815D8ADE53DA2B776DD7A9491E2A46D53D79D5DB3D500D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051852Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.735{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\datareporting\session-state.json.tmp2021-09-14 09:02:50.735 10341000x800000000000000051851Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.688{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\wer.dll+3f183(wow64)|C:\Windows\System32\wer.dll+3f554(wow64)|C:\Windows\System32\wer.dll+3fd87(wow64)|C:\Windows\System32\wer.dll+20515(wow64)|C:\Windows\System32\wer.dll+156d1(wow64)|C:\Windows\System32\faultrep.dll+107dc(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 23542300x800000000000000051850Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.688{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage.sqlite-journalMD5=8E9456D3F59624FC3CA914C210F31927,SHA256=3DEC8ACDF1183FA66584F091F437020002C3FD1DBF71BB8052FA95367E0BD6D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051849Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.688{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\wer.dll+330cb(wow64)|C:\Windows\System32\wer.dll+24973(wow64)|C:\Windows\System32\wer.dll+15779(wow64)|C:\Windows\System32\faultrep.dll+106c0(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 11241100x800000000000000051848Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.672{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage.sqlite-journal2021-09-14 09:02:46.142 23542300x800000000000000051847Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.672{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-walMD5=2CEA46D86937B9AEC731D7435DB45658,SHA256=821D96152F77A56EA4CC1AB0E56306B19637A2E5808233F4718C5412D098759B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051846Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.672{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-shmMD5=5005490D3ED538D78B900D98B30EAD40,SHA256=C0EFA76E5E061B1839DADBA87485C5C6C7D1CD9255D51117D3770D7D6978BBA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051845Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.672{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=25A9A7B9B288045022D396806E391927,SHA256=BAD6D2D473B0E6AF41B38F1C174A736EB8037D3B52E80F1F99352C38CD9B5263,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051844Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.668{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33fe2f(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33d738(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee5e9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee664(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee6ed(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c8c5(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+29305d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1e12f4(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c4f9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb18d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb022(wow64) 11241100x800000000000000051843Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.642{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\default\https+++www.google.com\ls\usage2021-09-14 08:47:30.304 23542300x800000000000000051842Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.642{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\default\https+++www.google.com\ls\usageMD5=CEE76D00DB2B06073B0601E8B99207FE,SHA256=9BE6288C993FE637BF7AFF831A939535A7E803B710F0C4E441385D165582CB4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051841Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.642{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\default\https+++www.google.com\ls\usage-journal2021-09-14 09:02:50.642 11241100x800000000000000051840Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.642{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journal2021-09-14 09:02:50.642 23542300x800000000000000051839Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.642{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051838Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.642{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=0477D59CDACBB1DA5BC71A68167361CA,SHA256=0D6056F54EB4C7FD86363455C21FFFDAD2C0701C9ABF5BD512A1CCEB8D53944E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051837Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.619{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-shm2021-09-14 09:02:46.158 23542300x800000000000000051836Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.619{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\xulstore.jsonMD5=698C1CC45A0C70D2C8B68BF3C7256400,SHA256=DB6C9F872F33B02A3FCD9B7D7968E7BFE5A8220C1E0403AF094751A30F05EA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051835Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.619{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051834Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.619{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\cookies.sqlite-walMD5=B173C3DFDB54D19F37017A93F50D3002,SHA256=351EFA07EB8DC0C581497FEBCBF640C36A02C0E64BD9DF0FE421C269636F753C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051833Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.619{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051832Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.619{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-wal2021-09-14 09:02:46.158 11241100x800000000000000051831Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.619{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\xulstore.json.tmp2021-09-14 09:02:50.603 23542300x800000000000000051830Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.603{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\cookies.sqlite-shmMD5=60790E6FB6AAAFC05C3BC2AD6ABA570F,SHA256=908C9BA264206A2085EA894B0D12FEB2056E0CE06309FCFE408364C48A7FBA17,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051829Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.603{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\index.log2021-09-14 08:51:17.051 23542300x800000000000000051828Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.603{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\favicons.sqlite-walMD5=EBB8B4E00413BF665CA8A36E900FBEDE,SHA256=810E2A4361FE7E24D720C2B74ED7F38E1E88D1C6075DE66813D5F30B6338B490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051827Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.588{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\favicons.sqlite-shmMD5=C7B32B81AD545D7997A16B5CCE9538FB,SHA256=2D022048507660AE997A5396A43301569DDEDC66541F95753151EA3924009BE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051826Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.588{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+3404d2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33c892(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+232f54(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+233565(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+239e56(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf2f2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cd856(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf434(wow64)|C:\Windows\System32\faultrep.dll+15715(wow64)|C:\Windows\System32\faultrep.dll+f09b(wow64)|C:\Windows\System32\faultrep.dll+10555(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64) 23542300x800000000000000051825Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.588{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\places.sqlite-walMD5=4CEDA4223AFEB8C427146411DE112F46,SHA256=B5301B98139E2DD993715CF1DB19ABD75C62604B790AE856714C05C989B2EC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051824Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.572{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\places.sqlite-shmMD5=344DE737D0FFE3A796EDF3273849E6A9,SHA256=89F15F8F5C78B0A4C204083829B82458227C0DE64BCD68E59FAC96622B5172ED,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000051823Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:50.545{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.12.137709420C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000051822Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:50.545{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.11.73424225C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000051821Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:50.545{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.10.68392252C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000051820Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051819Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000051818Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000051817Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 11241100x800000000000000051816Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionCheckpoints.json.tmp2021-09-14 09:02:39.219 11241100x800000000000000051815Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\SiteSecurityServiceState.txt2021-09-14 08:51:16.952 23542300x800000000000000051814Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\SiteSecurityServiceState.txtMD5=4268FC554E3B07B6945A8F6417B2622C,SHA256=58C7254343D11E077B6AEEFE7A3C967F9B7524B73BB5B85CD1FC3BD0F5DC9836,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051813Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\AlternateServices.txt2021-09-14 08:51:16.952 23542300x800000000000000051812Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051811Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.529{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\AlternateServices.txtMD5=825E29680B1D1FA51E46252E070E1A10,SHA256=82431DBA83C0E9016880B41CA8E7053DCC158DB7CB0F613264FFEC21C0047A27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051810Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.514{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-shm2021-09-14 09:02:46.158 11241100x800000000000000051809Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.514{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\webappsstore.sqlite-wal2021-09-14 09:02:46.158 11241100x800000000000000051808Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.514{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 11241100x800000000000000051807Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.514{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\ce_T151c2VyQ29udGV4dElkPTUsYSw=2021-09-14 09:02:50.514 23542300x800000000000000051806Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.514{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051805Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.514{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 11241100x800000000000000051804Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.514{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\cache2\ce_T151c2VyQ29udGV4dElkPTUs2021-09-14 09:02:50.514 11241100x800000000000000051803Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.514{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionCheckpoints.json.tmp2021-09-14 09:02:39.219 17141700x800000000000000051802Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:50.513{C8F4C507-652D-6140-6409-00000000F001}5648\chrome.5648.9.27845630C:\Program Files\Mozilla Firefox\firefox.exe 11241100x800000000000000051801Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.509{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionCheckpoints.json.tmp2021-09-14 09:02:39.219 10341000x800000000000000051800Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.508{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051799Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.507{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\startupCache\startupCache.8.little2021-09-14 08:49:24.278 23542300x800000000000000051798Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.507{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\cra6argi.default-release\startupCache\startupCache.8.littleMD5=1372FC2FB1C4F6ADB4883EE27951A043,SHA256=542A2983EE2AA1F219EE21FDCFAEFAB0187155FB83CFD9509218DEFAC194E150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051797Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.505{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B50C444D87E91014BD42BF0845D2E5,SHA256=551E6960FAF3EDCAA6676A3159B0F1CD843B4E2ACE888A04544B8AB7A29D1FB2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051796Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.502{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionCheckpoints.json.tmp2021-09-14 09:02:39.219 10341000x800000000000000051795Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.495{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000051794Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.493{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000051793Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.493{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000051792Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.493{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000051791Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.490{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000051790Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.490{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000018AB2A71E84) 10341000x800000000000000051789Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.489{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6537-6140-6E09-00000000F001}780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000018AB2A73E5F) 10341000x800000000000000051788Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.486{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000018AB2A73E5F) 10341000x800000000000000051787Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.486{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000018AB2A73E5F) 23542300x800000000000000051786Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.485{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionstore-backups\recovery.jsonlz4MD5=F768FEE3166BC78827AE97D60E75C851,SHA256=C40E03883FDA57D5882D23A94B05318D3865A33022E249EFE8986B0BB79BA510,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051785Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:48.348{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local60445- 23542300x800000000000000051784Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.478{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=49D0E03DD29AB75DAEA936257EAD6A6E,SHA256=FBF05BB5E24321B34CB4490F17F76548CFAA23BDDD460039769BDFC92585E234,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051783Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.477{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6609-00000000F001}6420C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000051782Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.477{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionstore.jsonlz4.tmp2021-09-14 09:02:50.477 11241100x800000000000000051781Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.474{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionCheckpoints.json.tmp2021-09-14 09:02:39.219 11241100x800000000000000051780Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.472{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 23542300x800000000000000051779Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.472{C8F4C507-652D-6140-6409-00000000F001}5648ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051778Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.470{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\prefs-1.js2021-09-14 09:02:39.735 23542300x800000000000000051777Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.457{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5AA232D902B1A3B7E21181057050835,SHA256=6FCC4445D0A3EF7FBB17469CC0F7DB13C7E77FDBBAB996FB8CD4AFA406ADF92F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051776Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.440{C8F4C507-652D-6140-6409-00000000F001}5648C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\sessionCheckpoints.json.tmp2021-09-14 09:02:39.219 23542300x800000000000000051775Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.408{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20064191BC0698A7F0825AFCF480ED1B,SHA256=8B814CCB1400A5AEFF31A8B7312904459C927E9AA158E4D9FD7D59376A3D1D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051774Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.406{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8EAEAC0A84370666B392F007DAA05515,SHA256=F4EADF5C3C9F104524822711B42EBFE85F2B4497B50A8518D853B4F53EC8EE49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051773Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.405{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-6530-6140-6809-00000000F001}1968C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3cfde|C:\Program Files\Mozilla Firefox\xul.dll+e27e51|C:\Program Files\Mozilla Firefox\xul.dll+c63636|C:\Program Files\Mozilla Firefox\xul.dll+239f11|C:\Program Files\Mozilla Firefox\xul.dll+894e91|C:\Program Files\Mozilla Firefox\xul.dll+1740a55|C:\Program Files\Mozilla Firefox\xul.dll+f2cf56|C:\Program Files\Mozilla Firefox\xul.dll+3d8abb|C:\Program Files\Mozilla Firefox\xul.dll+ca931|C:\Program Files\Mozilla Firefox\xul.dll+11a1262|C:\Program Files\Mozilla Firefox\xul.dll+c2491e|C:\Program Files\Mozilla Firefox\xul.dll+c2552b|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f 10341000x800000000000000051772Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.394{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051771Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.394{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051770Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.393{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051769Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.391{C8F4C507-652D-6140-6409-00000000F001}56487164C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051768Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.380{C8F4C507-652D-6140-6409-00000000F001}56486948C:\Program Files\Mozilla Firefox\firefox.exe{C8F4C507-652F-6140-6509-00000000F001}6596C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 23542300x800000000000000051767Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.285{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D79A4873283FF15C2E569EAE89EE4C,SHA256=638D97A1E13F14FFCB612D30FF6034BDADE2DF1C6CC17D95471B5DE1142D40E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051766Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051765Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051764Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051763Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051762Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051761Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051760Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051759Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051758Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051757Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051756Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.277{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051755Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.272{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051754Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.272{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051753Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.272{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051752Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.271{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051751Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.271{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051750Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.267{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051749Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.266{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29b6d(wow64)|C:\Windows\System32\faultrep.dll+1e913(wow64)|C:\Windows\System32\faultrep.dll+1a2a7(wow64)|C:\Windows\System32\faultrep.dll+10274(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 10341000x800000000000000051748Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.252{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+296a4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29867(wow64)|C:\Windows\System32\faultrep.dll+1f0d5(wow64)|C:\Windows\System32\faultrep.dll+1ed96(wow64)|C:\Windows\System32\faultrep.dll+1e59a(wow64)|C:\Windows\System32\faultrep.dll+1a16b(wow64)|C:\Windows\System32\faultrep.dll+10171(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07 10341000x800000000000000051747Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.252{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+f0acb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29697(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll+29867(wow64)|C:\Windows\System32\faultrep.dll+1f0d5(wow64)|C:\Windows\System32\faultrep.dll+1ed96(wow64)|C:\Windows\System32\faultrep.dll+1e59a(wow64)|C:\Windows\System32\faultrep.dll+1a16b(wow64)|C:\Windows\System32\faultrep.dll+10171(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07 23542300x800000000000000051746Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.097{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=84919AD4D6F0B6EC69EB0510215B4D03,SHA256=949AADFB2F18FDF673D7DEA250DECBA9B142AE5584B4C6F1589968ED72473FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051745Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.085{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+1a9b6(wow64)|C:\Windows\System32\faultrep.dll+1ab65(wow64)|C:\Windows\System32\faultrep.dll+1a16b(wow64)|C:\Windows\System32\faultrep.dll+10171(wow64)|C:\Windows\System32\faultrep.dll+e40c(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 13241300x800000000000000051744Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.localInvDB-VerSetValue2021-09-14 09:02:50.054{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{b091ad1d-ed26-be0d-724b-8de17774c45a}\Root\InventoryApplicationFile\fin7_jssloader.e|19e751d51692c7de\BinProductVersion1.0.0.0 13241300x800000000000000051743Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.localInvDB-CompileTimeClaimSetValue2021-09-14 09:02:50.054{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{b091ad1d-ed26-be0d-724b-8de17774c45a}\Root\InventoryApplicationFile\fin7_jssloader.e|19e751d51692c7de\LinkDate12/04/2019 17:30:26 13241300x800000000000000051742Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.localInvDB-PubSetValue2021-09-14 09:02:50.054{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{b091ad1d-ed26-be0d-724b-8de17774c45a}\Root\InventoryApplicationFile\fin7_jssloader.e|19e751d51692c7de\Publisher(Empty) 13241300x800000000000000051741Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.localInvDB-PathSetValue2021-09-14 09:02:50.052{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{b091ad1d-ed26-be0d-724b-8de17774c45a}\Root\InventoryApplicationFile\fin7_jssloader.e|19e751d51692c7de\LowerCaseLongPathc:\temp\fin7_jssloader.exe 23542300x800000000000000027532Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:51.321{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7A5EA5F8655CAD03FB703699398A19,SHA256=BF13DBB1E07AF4F79495A4DD39A37753CC326D05CE4F0D931114B26D7DDF43D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051946Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.963{C8F4C507-653A-6140-7A09-00000000F001}5136ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\f745d52e-6e81-483e-a191-0852cb95d3d3MD5=3B8887EF2A320BDF1B2F1CA5F0B6EAC4,SHA256=8B8157EF0C092D5F40AE29210E8E5FAEEEEBA0D8BC12142F79E7596AC6ADF5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051945Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.963{C8F4C507-653A-6140-7609-00000000F001}6240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\86f086c1-eb79-47c1-9e2d-847b4d00bc2eMD5=1583971C905E35A5A6713B7619217122,SHA256=1E81A12F7A392DD0AB432EC979A098F98236B67A225EA133408E40253D06AAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051944Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.947{C8F4C507-653A-6140-7809-00000000F001}5652ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cra6argi.default-release\saved-telemetry-pings\47685faf-f547-4eab-bcf1-e5753fd299feMD5=677046FA9472D0F4B054DE5E98BBA5A4,SHA256=099261174B6B7E14DA9BF884C7BF86949A03FA70AEEFD147D62F0B784BFEACEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051943Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.869{C8F4C507-653B-6140-7C09-00000000F001}63726364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051942Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.697{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F53A2BCAB24B21EA36B0450FBCEC77DA,SHA256=9082E2C81E6E7696B9B7F35332EE01AD77515C944CCC0FAF61F758C2A3D2CC4A,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000051941Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.494{C8F4C507-653B-6140-7C09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000051940Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.494{C8F4C507-653B-6140-7C09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000051939Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.494{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-653B-6140-7C09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051938Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.479{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051937Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.479{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051936Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.479{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051935Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.479{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051934Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.479{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-653B-6140-7C09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051933Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.479{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-653B-6140-7C09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051932Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.355{C8F4C507-653B-6140-7C09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051931Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.291{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA5C2CAFCB01E0AB2D126F27227EB30,SHA256=4977DADBB4F722E97818F24D584F83A8F19436BDB141F2098A4546B34621BCE3,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000051930Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-CreatePipe2021-09-14 09:02:51.291{C8F4C507-4938-6140-1100-00000000F001}408\ProtectedPrefix\LocalService\FTHPIPEC:\Windows\system32\svchost.exe 10341000x800000000000000051929Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.275{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051928Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.275{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051927Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.275{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-4936-6140-0A00-00000000F001}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051926Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.182{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051925Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.182{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051924Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.182{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1600-00000000F001}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051923Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.182{C8F4C507-5C87-6140-B607-00000000F001}33724260C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051922Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.182{C8F4C507-5C87-6140-B607-00000000F001}33724260C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051921Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.182{C8F4C507-5C87-6140-B607-00000000F001}33724260C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051920Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.182{C8F4C507-5C87-6140-B607-00000000F001}33724260C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051919Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.166{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-653A-6140-7A09-00000000F001}5136C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051918Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.166{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-653A-6140-7A09-00000000F001}5136C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051917Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.166{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-653A-6140-7809-00000000F001}5652C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051916Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.166{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-653A-6140-7809-00000000F001}5652C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051915Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.166{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-653A-6140-7609-00000000F001}6240C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051914Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.166{C8F4C507-4936-6140-0B00-00000000F001}6322276C:\Windows\system32\lsass.exe{C8F4C507-653A-6140-7609-00000000F001}6240C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051913Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.072{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56FE4FD9E567D979A7921B850E7583A,SHA256=1BAC5E59C44516E49F1A715B33376990B586A7C10BDB033918FDF37498CCDBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027533Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:52.336{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E73ABF42857F1655E8C9AC0ED25015,SHA256=710D7A37D899781663D8A9B260194DF27B1DE6C53D70E134E62F9D5C4D6704CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051963Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.330{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50780-false10.0.1.12-8000- 354300x800000000000000051962Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.792{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50779-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000051961Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:50.792{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50779-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 10341000x800000000000000051960Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.494{C8F4C507-653C-6140-7D09-00000000F001}45646768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000051959Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.338{C8F4C507-653C-6140-7D09-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000051958Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.338{C8F4C507-653C-6140-7D09-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000051957Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.338{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-653C-6140-7D09-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051956Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.338{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051955Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.338{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051954Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.338{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051953Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.338{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051952Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.338{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-653C-6140-7D09-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051951Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.338{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-653C-6140-7D09-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051950Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.340{C8F4C507-653C-6140-7D09-00000000F001}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051949Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.307{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45FC278AD7C61E7EF821BB3DE84A29B,SHA256=35568BAE2635D06544BD5A3961FD84D43FAE1A041243303A1479096D740EB6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051948Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:52.307{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=20064191BC0698A7F0825AFCF480ED1B,SHA256=8B814CCB1400A5AEFF31A8B7312904459C927E9AA158E4D9FD7D59376A3D1D36,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000051947Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:49.122{C8F4C507-6527-6140-5F09-00000000F001}6068domenuscdm.com9003-C:\Temp\fin7_jssloader.exe 354300x800000000000000051979Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.488{C8F4C507-653A-6140-7609-00000000F001}6240C:\Program Files\Mozilla Firefox\pingsender.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50782-false34.208.57.189ec2-34-208-57-189.us-west-2.compute.amazonaws.com443https 354300x800000000000000051978Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.485{C8F4C507-653A-6140-7A09-00000000F001}5136C:\Program Files\Mozilla Firefox\pingsender.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50781-false34.208.57.189ec2-34-208-57-189.us-west-2.compute.amazonaws.com443https 354300x800000000000000051977Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:51.484{C8F4C507-653A-6140-7809-00000000F001}5652C:\Program Files\Mozilla Firefox\pingsender.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-158.attackrange.local50783-false34.208.57.189ec2-34-208-57-189.us-west-2.compute.amazonaws.com443https 23542300x800000000000000051976Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.479{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C9EFBBED5A68A0A617B5B8FFC208C4C,SHA256=85B28442BF134AA2D566AE4AF5D5B4913F9F117EC33B4CEF7C252DD1036065A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051975Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.416{C8F4C507-653D-6140-7E09-00000000F001}20721156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051974Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.310{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3518003F1066BF2135E09B9B710B39,SHA256=3863847D94050DD1E14918C436E144F764416CEB3801759175355A462790E915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027534Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:53.352{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E17A83DFF43B43D7A539918D9C47913,SHA256=F06F8406E221FBBB3024ACAD89216C6C8A932CA87CECAD36E82A353BE600008A,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000051973Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.182{C8F4C507-653D-6140-7E09-00000000F001}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000051972Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.182{C8F4C507-653D-6140-7E09-00000000F001}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000051971Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.166{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-653D-6140-7E09-00000000F001}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051970Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.166{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051969Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.166{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051968Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.166{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051967Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.166{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051966Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.166{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-653D-6140-7E09-00000000F001}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051965Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.166{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-653D-6140-7E09-00000000F001}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051964Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.011{C8F4C507-653D-6140-7E09-00000000F001}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027536Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:54.571{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F91743731C55573FC0E59491465C46B,SHA256=7D1F1661C910EDF2ECC384525AF149533458B83CF8C8EB27114E84E7A56A8250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051991Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.900{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3990BBED55A0397D6929998C03FD8292,SHA256=2359E22D5074828482B1658794822EFA42C1A7C997E18B8DAAE442599DCBCAD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051990Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.322{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC10198D682BCBCFAE0C9AA58C3B066,SHA256=D51A216304BA6BDABA7EA08C1675475F60ED31C3D7C887F86962F98C647E4D1F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000051989Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.041{C8F4C507-653D-6140-7F09-00000000F001}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000051988Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.041{C8F4C507-653D-6140-7F09-00000000F001}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000051987Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.041{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-653D-6140-7F09-00000000F001}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051986Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.025{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051985Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.025{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051984Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.025{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051983Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.025{C8F4C507-4937-6140-0C00-00000000F001}8486952C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051982Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.025{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-653D-6140-7F09-00000000F001}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051981Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:54.025{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-653D-6140-7F09-00000000F001}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051980Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:53.901{C8F4C507-653D-6140-7F09-00000000F001}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027535Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:50.751{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027537Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:55.664{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F19CD38B81F991D3FE7D862D71D486,SHA256=6F87A59922F422B46DAF5368423356B83A59C048D3249E7CDEF4BBD9BC15DEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051992Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:55.354{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04528E3780B2DBB770D9F78D653C4797,SHA256=E568314FA7789AA095118EC7F220D145B025005EF340773FD91C39F2BC7E0A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027538Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:56.758{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD1A7EA55333DF5DC4CB97E2BDC23D8,SHA256=83FE70EBFC4013885422F0D3396AA21106195D9B294B44EB4A9C5A813FC464CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051993Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:56.369{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B746730E151A16787DC2FC3EA7796F,SHA256=3F3F611A519F421C96A48E782569693A67796B75E7AFA8ADE5067FADBB667BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027539Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:57.805{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B20A9763F357CF44C8CD98C89F0BFE,SHA256=C1015F9BA2A99D3CA7F3C354F4BC5B91BAA26808C02F80F19846FF04E697B5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052018Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.838{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84FF4F3CADEBC68BAB80681207F8BDB,SHA256=53D04E9F495AA50F5D42CD8976BCAE333001A054DC4236AE2F9559EE70E67C6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052017Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052016Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052015Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052014Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052013Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052012Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052011Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052010Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052009Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052008Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052007Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052006Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052005Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052004Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052003Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052002Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052001Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.229{C8F4C507-6539-6140-7509-00000000F001}63325356C:\Windows\SysWOW64\WerFault.exe{C8F4C507-6527-6140-5F09-00000000F001}6068C:\Temp\fin7_jssloader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000052000Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.088{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051999Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.088{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051998Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.088{C8F4C507-5C87-6140-B607-00000000F001}33725496C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051997Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.088{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051996Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.088{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051995Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.088{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051994Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.088{C8F4C507-5C87-6140-B607-00000000F001}3372288C:\Windows\Explorer.EXE{C8F4C507-6539-6140-7509-00000000F001}6332C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027540Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:58.946{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D215D00CB18A47F3C4C04ECE25FC23,SHA256=A59B4013B2A5EA717CB52138139F19C5D0F7D24B865B88F1BE471B25A45DC2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052020Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:58.854{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166FEC187CE9A1789888FED1687C5622,SHA256=02594340DCDE273874A8A24E011C10BE8910F214C17460807193912EC7A197F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052019Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:57.205{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50784-false10.0.1.12-8000- 23542300x800000000000000052021Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:02:59.869{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEDE5A5CF4C8EECE1E7E9E09A75FF3AC,SHA256=72612AAC0E0191E53CB5FD685AB51CE08742C3D970A2965908F5F9D5FABC121D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027542Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:59.977{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8E0117743123EDF2AD9CF21925A18B,SHA256=1E4FB952E4C32D2623504F9B4E6D3724B655CF8341C8982D51B57BD50334113D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027541Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:02:56.641{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000052024Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:00.994{C8F4C507-4938-6140-0D00-00000000F001}9046788C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+42a5e|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052023Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:00.994{C8F4C507-4938-6140-0D00-00000000F001}9046788C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+42a5e|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000052022Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:00.885{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779D2BA63B051A761D77F9F2AA072CF4,SHA256=BB768481F8E2F7BDFBF9C05BCF27AFD1157E7AAE32BC9F798ECBF64BCB239600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052025Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:01.885{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7796DCD9D26EFBEFAFA8603566F002AC,SHA256=6980A114377B12000651CA2BCC84030D26CDB2119A0B31AF88CAB458266DD8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027543Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:01.008{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0777D497D301614395CC3B52678C7D6,SHA256=3E56DFD190821005F0EC7E55E0435622549AC1533106BD81DDF57F12BD512596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052027Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:02.916{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B4ED2F3325E9275ADC954E2F925AB0,SHA256=8A37B5802745606D50F00DCD6ACAF8EC6D3B8C43A034249445FA0EB1D1E957DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027545Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:02.680{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4215B5DC16890DE0566BAD0ACF85FEDE,SHA256=769414EA0B3367A4DFAE8D1F4A80105404FCD68FB1192104016AB5D9C4369474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027544Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:02.024{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A994F9729A465565E8889182670245BA,SHA256=AAEA1769DAC62EF2AB5BF433EDC2162434E3540B77DF97CD70D5AE1357F864C4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000052026Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.localInvDBSetValue2021-09-14 09:03:02.244{C8F4C507-4938-6140-1200-00000000F001}620C:\Windows\System32\svchost.exeHKU\S-1-5-21-4055001771-3186303834-728673413-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\fin7_jssloader.exeBinary Data 23542300x800000000000000052028Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:03.916{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55578A0AA8125991263AD3025D77054,SHA256=F31E116B4D9B174AAB7ADB2FBB6DA7D42DA0A76ECE7B7CC1B691C59098060B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027546Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:03.039{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8DC17EDD533EBC92C92847F5658BE1,SHA256=230D6A5EACD5EC3DB5FB402D33B346F365628427EFB7BEC649FA558B3B0A27C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052029Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:04.916{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D390521C093E364864ED38FCA082A475,SHA256=8F1B78B6ED4DF8EEE1C05A0A09C51A331A9347C14629D6F75D7538F6DB1A5261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027547Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:04.055{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C7BDD5645F6273BF5CF1B6417FFAE,SHA256=A386917CC67D827320C61B231788F0B5BB4DE54EA9FD431E4B33468FAD743AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052031Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:05.928{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9714ED7C1246693225FB1A5A7BFC2898,SHA256=C0FEA07661841D25C593C98F6CE5EF15C16AA20A8F6463B5E2BAE8100D10B5B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052030Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:03.191{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50785-false10.0.1.12-8000- 354300x800000000000000027549Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:02.672{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027548Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:05.086{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F62C3EFE32130337D0D17056A4EAE8,SHA256=F1A92A4693C86FFA9E7EF123430E9BA18EB14F31F40641CC292EB19FA59F87DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052032Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:06.928{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDACA13F7B4068B246D9B028AF400523,SHA256=D0BB4E456E8B3BC72D13DE45AF9E422287D9598BBDAC7EBDFA361E596D2694A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027550Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:06.101{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825DE2A744F2BAA62F570CC2D1F1F679,SHA256=3582812429486C1DBB5B884FBEF810810504D4E98B0F12047FA671A55CEA4835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052033Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:07.975{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43C89B75617354C98DD709579E35BAC,SHA256=3D44C612A584E4F57CBBAB087D6133B5BE964FFB2041C61C27CC516FB0B3BDF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027551Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:07.148{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F9A6C4A68FDA520F68F3B2B67F080D,SHA256=4F60DA7F84F15D420EEA2CB64C135E9EAD95F259D754B78778AFDD4112F8374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052034Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:08.975{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBBF3C4BB0C2A725A7A18656A028BCC,SHA256=73EE558E5789D32A3C9C80E802BCD00315FBC2F7FE739839D2F569A8C5E9C9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027552Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:08.179{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D65E293BD09E60C3A57706C62BCF695,SHA256=519A1D831175DD7F3D6C75BC640D95CE11F5BDAB125163D3B9417A88AB941519,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052035Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:08.217{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50786-false10.0.1.12-8000- 23542300x800000000000000027553Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:09.226{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25744F47E6B373E307F520C3BD66F8,SHA256=144DADF322835E151D23AF18AC29AD31807DBABA9FBC4F73F523E8BED0A8B6FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027555Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:07.749{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027554Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:10.241{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978FE20A5A8F79EB16D444C6D28A023C,SHA256=AEB0FD9C8C3315B51577CA0996F320168DC7837BAB2F2901E85AA2DD7029B520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052036Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:10.022{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73157899554B9A8B4227A715695378F,SHA256=0172A5829C1DE3D451C21E88B035BCE9FC481680CC429FFCECF98CAD493444DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027557Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:11.851{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027556Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:11.241{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508EDA9BD4A58D586EF1403EAEE6B440,SHA256=1E11B7AD0D407AC53112C9C464522ADEBAD3D75C4B719EF30CF0E2C39FF1A17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052037Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:11.022{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29847FEF7C501E4E18E467507ADD60DF,SHA256=5CA2DF9B1AA56159E917165AB886B9DD216185ABC8BAAB0B34B0B10023C90EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027558Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:12.257{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E20007157CCBA14530C09DC8628DC5,SHA256=F886DFE7A6AC66EA06898EB804A697851DB7E19580A6E3D872FB33930C1542F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052038Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:12.037{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFF93DB6BE4EE63CA0E67A92770DD2D,SHA256=7C0038B49C2068C4196F65CE7B7FDC707FC070B6752650B814B5B8389EF1D3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027559Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:13.288{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311B2016F74C60F979BB9BECA76923DF,SHA256=6C45F85E044962E0647E5186F55D32EED893647823CF17ACC4F5E199EB05446C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052039Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:13.037{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC1D094C6E6D3C079AFA83A8B7259AD,SHA256=165178648F24DE1C708D5A490DC0503159E149B16841127A2B3C28D5F3326506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027561Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:14.319{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAFCE4205B9AA5DBCE92C49D67FB705,SHA256=9EF9D9867553BDDA2BBB7F3C64790AA124CCAD6CC74005E9D2E68D4DFC326C66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052040Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:14.053{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4692AB1F3F93DA69BFDF237DD6D49D,SHA256=1E878C01D74B6CD1F37015C77F752863D194259FE066029A9F47C5F64EAAA85E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027560Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:10.390{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000027562Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:15.335{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BADB78ADACB3F06740D80C925F0F149,SHA256=057991608979CAF144ADF98C550554CF3941485DFF8AB866B515DDDE2EE6F875,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052042Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:13.373{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50787-false10.0.1.12-8000- 23542300x800000000000000052041Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:15.069{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7438FCE5E84E07FCDAAE0B5D84C0E941,SHA256=7CCC59D5A57325A40E59344226D930E2C34A382A6AD0330F34D037DD67DF9C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027563Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:16.398{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E31ECF304EA31A1BF13EFABC8D7E94A,SHA256=AF14260A7B62E5A2D16382E5EBE4F3644C4FA528BB5F2396C991CA329742240D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052043Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:16.116{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE31E466890C44F3078631E185BD5D6,SHA256=BF7C31E49183FE6315F74DEDDBB65BF78E9F287FFA51CC7EF0F7DF5695CD1CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027565Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:17.429{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C7EE6830AD75AECF914450C7C079A7,SHA256=F0092501E7CC1D1DA5C57A9CDC1EEA2482614DD400415806E426F73A4AE80DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052044Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:17.116{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545B9E7665EB43DDBF898D060A5706A5,SHA256=252F12260C5FD10E1553E947F63486EE9F0DA906E14681279DA9A26E2D188785,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027564Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:13.796{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027566Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:18.476{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D3010BBECC750A7EDB142B2673D9BB,SHA256=9DC30F4A4C52CDE763C60F2FF5E9A5DEC99CA81BBDB7D57F474EA58775F0245A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052046Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:18.772{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-4934-6140-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000052045Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:18.256{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFCA7AC207D8C6439C63A4B091F48D5,SHA256=490DD200E20E299DB2A78A4D52329DC77E9A6B5433CEBA53534B4E42C021B3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027567Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:19.710{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B3A9AD15F629A6E47215AC6125436D,SHA256=F02D63B7B1448E8A0A8C5E5C4C98CC76F87CCBF532764EB16197E54A13AFF2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052049Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:19.787{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC8BABEEEA036F24A04F9D8B0E166EB2,SHA256=4F98032880D801AA20E1F48FA5398074D8B51BBA879C29C9EA3361467B5B8825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052048Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:19.787{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29FF018E1483FCFF2EBD600217F14DD2,SHA256=F3DDDDBFBA248EAF6F20E21E2CAEE2E1A35A9302F1F25003C1795996202BE3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052047Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:19.256{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9DAED731D956025A7470AC80264383,SHA256=DDA610FB39A3255ACDA5CF54FD560484E5CBB02A890591A8DEB48D496DF27F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027568Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:20.741{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E2BBD8CF91B658C7CB4593A7A29E42,SHA256=DA3ED79E1B0B700A3DB3E2C7D4B10B7C445B2927C60FD07D7A8173B29523ADBB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000052066Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000052065Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000052064Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\AddressTypeDWORD (0x00000000) 13241300x800000000000000052063Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\LeaseTerminatesTimeDWORD (0x61407368) 13241300x800000000000000052062Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\T2DWORD (0x614071a6) 13241300x800000000000000052061Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\T1DWORD (0x61406c60) 13241300x800000000000000052060Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\LeaseObtainedTimeDWORD (0x61406558) 13241300x800000000000000052059Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\LeaseDWORD (0x00000e10) 13241300x800000000000000052058Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\DhcpServer10.0.1.1 13241300x800000000000000052057Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\DhcpSubnetMask255.255.255.0 13241300x800000000000000052056Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\DhcpIPAddress10.0.1.14 13241300x800000000000000052055Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:20.772{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e4993b72-8405-43b8-9f24-ac8de1153823}\DhcpInterfaceOptionsBinary Data 10341000x800000000000000052054Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:20.412{C8F4C507-4938-6140-1600-00000000F001}13245200C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052053Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:20.412{C8F4C507-4938-6140-1600-00000000F001}13245200C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000052052Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:18.890{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50788-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 354300x800000000000000052051Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:18.890{C8F4C507-4934-6140-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local50788-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local445microsoft-ds 23542300x800000000000000052050Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:20.272{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC9489801AD57FB3663E4875F2F5B67,SHA256=BDF4CA2D9F79472A95BD8AAB14D4E188681072F0EEAECD97DDF05108E0134EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027569Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:21.757{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5FF8614CD621D77D78C77FEBBA02BA,SHA256=A2D255A97C6A990B78F7A9B99CC92E5904CE0D0851C689ED2FCD52CDC961CA88,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000052079Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000052078Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006df5b8) 13241300x800000000000000052077Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93e-0xfbd5df93) 13241300x800000000000000052076Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a947-0x5d9a4793) 13241300x800000000000000052075Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94f-0xbf5eaf93) 13241300x800000000000000052074Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000052073Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006df5b8) 13241300x800000000000000052072Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a93e-0xfbd5df93) 13241300x800000000000000052071Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a947-0x5d9a4793) 13241300x800000000000000052070Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:21.491{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a94f-0xbf5eaf93) 23542300x800000000000000052069Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:21.319{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71758F6033FCB3324D12A2FDDE6A7DC6,SHA256=DAD3D6E0EF4D14C86E4F559B6D213B72C160E2E69AAF806D4DA38866A768C908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052068Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:21.241{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2752BD0B90C8C354BFC71DCC4486D970,SHA256=BA59FC3DB363A0814121DA4FCFF1C403FDEB6D9945401D07CAF88E7577474CF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052067Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:19.170{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local50789-false10.0.1.12-8000- 10341000x800000000000000027597Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027596Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027595Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-655A-6140-AF06-00000000F101}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027594Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027593Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027592Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027591Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027590Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027589Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027588Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027587Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-655A-6140-AF06-00000000F101}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027586Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.819{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-655A-6140-AF06-00000000F101}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027585Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.820{4A7D70D7-655A-6140-AF06-00000000F101}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027584Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.773{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586FC643248AA4564E0E697040794240,SHA256=9DEB8A7FC3712287CAC9C158AF86F1FFFB940CF100177D944B549A5965A11913,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000052098Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000052097Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000052096Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000052095Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\FlagsDWORD (0x00000002) 13241300x800000000000000052094Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\TtlDWORD (0x000004b0) 13241300x800000000000000052093Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\SentPriUpdateToIpBinary Data 13241300x800000000000000052092Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\SentUpdateToIpBinary Data 13241300x800000000000000052091Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\DnsServersBinary Data 13241300x800000000000000052090Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\HostAddrsBinary Data 13241300x800000000000000052089Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\PrimaryDomainNameattackrange.local 13241300x800000000000000052088Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\AdapterDomainName(Empty) 13241300x800000000000000052087Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\Hostnamewin-dc-158 10341000x800000000000000052086Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.803{C8F4C507-4936-6140-0B00-00000000F001}6324692C:\Windows\system32\lsass.exe{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000052085Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:03:22.803{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{E4993B72-8405-43B8-9F24-AC8DE1153823}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000052084Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.319{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BE23EF0FCC78E866A0DCC3FDB0CF59,SHA256=95FC807249292C5227EC0BDE85620D84D2422195ADFE909D418D86A85FDCCD89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027583Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.335{4A7D70D7-655A-6140-AE06-00000000F101}39281620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027582Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-655A-6140-AE06-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027581Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027580Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027579Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027578Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027577Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027576Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027575Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027574Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027573Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027572Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-655A-6140-AE06-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027571Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.147{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-655A-6140-AE06-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027570Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:22.148{4A7D70D7-655A-6140-AE06-00000000F101}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000052083Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:20.967{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50153- 354300x800000000000000052082Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:20.895{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c8c0:1c60:8a91:ffff-58068-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000052081Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:20.895{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local58068-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000052080Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:20.889{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-158.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x800000000000000052105Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.926{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-158.attackrange.local53784-false10.0.1.14win-dc-158.attackrange.local53domain 354300x800000000000000052104Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.926{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-158.attackrange.local53784-false10.0.1.14win-dc-158.attackrange.local53domain 354300x800000000000000052103Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.924{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local53domainfalse10.0.1.14win-dc-158.attackrange.local63972- 354300x800000000000000052102Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.924{C8F4C507-4938-6140-1400-00000000F001}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-158.attackrange.local63972-false10.0.1.14win-dc-158.attackrange.local53domain 354300x800000000000000052101Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.923{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50668- 23542300x800000000000000052100Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:23.850{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC8BABEEEA036F24A04F9D8B0E166EB2,SHA256=4F98032880D801AA20E1F48FA5398074D8B51BBA879C29C9EA3361467B5B8825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052099Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:23.366{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BE05A16F9FA16D118BCBD652351E66,SHA256=119761AE585DCCAB55F53C5B65BD5EBD89F8577F687361A26CEF7DA8F92CD7B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027613Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-655B-6140-B006-00000000F101}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027612Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027611Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027610Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027609Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027608Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027607Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027606Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027605Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027604Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027603Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-655B-6140-B006-00000000F101}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027602Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.491{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-655B-6140-B006-00000000F101}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027601Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.492{4A7D70D7-655B-6140-B006-00000000F101}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027600Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.148{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1EEE107EB1BF9C0FCFCF0921510ED4,SHA256=6732D8C09F68041058187ECC6EFAB9FA428304FAE549302AA3766D01C9D8BA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027599Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:23.148{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=228452F6F212F9EF9D36EBFA0CA5DB4E,SHA256=74217A3D5FA32C41B6959403B8672E5AD63515A9FE608217769B591908514465,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027598Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:19.702{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027615Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:24.616{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1EEE107EB1BF9C0FCFCF0921510ED4,SHA256=6732D8C09F68041058187ECC6EFAB9FA428304FAE549302AA3766D01C9D8BA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027614Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:24.304{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FE20825E7C31624B87B3AFA423C263,SHA256=0700F86F38DB6B6061E2EE5C958655E2F1EC253B2F62A69A1C3282D5272017FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052106Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:24.381{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B8609C46FBC9E60768B46C87E4357E,SHA256=AB12DE4DDD57AE3E7BAE94B0A11F93B6CD8C0F0B9EE8271A241E709B9C3AFBA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027630Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.616{4A7D70D7-655D-6140-B106-00000000F101}8082712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027629Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-655D-6140-B106-00000000F101}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027628Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027627Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027626Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027625Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027624Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027623Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027622Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027621Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027620Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027619Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-655D-6140-B106-00000000F101}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027618Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.444{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-655D-6140-B106-00000000F101}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027617Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.445{4A7D70D7-655D-6140-B106-00000000F101}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027616Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:25.319{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0884FAEE1254F420DDEBF4649E9F5118,SHA256=56BE4E7162211A77C681A708FCE63B6F33D2A28BFEF6D9CE9F9F5278259A9C92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052117Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.935{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local59847-false10.0.1.14win-dc-158.attackrange.local53domain 354300x800000000000000052116Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.935{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local53domainfalse10.0.1.14win-dc-158.attackrange.local59847- 354300x800000000000000052115Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.935{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c8c0:1c60:8a91:ffff-59847-truea00:10e:0:0:0:0:0:0win-dc-158.attackrange.local53domain 354300x800000000000000052114Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.935{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50968- 354300x800000000000000052113Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.934{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50954- 354300x800000000000000052112Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.934{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50954-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domain 354300x800000000000000052111Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.934{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local50984- 354300x800000000000000052110Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.928{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53785-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000052109Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.928{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53785-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000052108Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:22.927{C8F4C507-4948-6140-2E00-00000000F001}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-158.attackrange.local53domainfalse10.0.1.14win-dc-158.attackrange.local52657- 23542300x800000000000000052107Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:25.381{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922885124503834CA1956F97B7E8CDAC,SHA256=DBFE164117137072FD52A852BA599B7682E73820534196F64F757DD007642D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027660Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.944{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3D5EAAF99C46D6F6FF5B84D275E9C2,SHA256=F2773F328D2D7044775D4E5A24603DB06C5BD3F6A2817F12892AFADE2088FE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027659Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.944{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=195B99E14712D4D590ED47182F45611F,SHA256=0F054425F4C3ED6D8A5338D326942059F74B482908E8B9380E9EBA41196BF36A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027658Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.835{4A7D70D7-655E-6140-B306-00000000F101}37761000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027657Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-655E-6140-B306-00000000F101}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027656Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027655Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027654Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027653Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027652Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027651Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027650Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027649Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027648Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027647Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-655E-6140-B306-00000000F101}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027646Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.616{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-655E-6140-B306-00000000F101}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027645Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.617{4A7D70D7-655E-6140-B306-00000000F101}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000052119Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:25.201{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53786-false10.0.1.12-8000- 23542300x800000000000000052118Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:26.397{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0363661943BAF74BBDE089C6B788880F,SHA256=0D77EB875C66E4FD1E599444C2B41338C00DDA0A1512D88276AA299317C780EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027644Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.366{4A7D70D7-655E-6140-B206-00000000F101}16042012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027643Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-655E-6140-B206-00000000F101}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027642Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027641Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027640Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027639Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027638Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027637Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027636Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027635Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027634Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027633Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-655E-6140-B206-00000000F101}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027632Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.116{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-655E-6140-B206-00000000F101}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027631Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:26.117{4A7D70D7-655E-6140-B206-00000000F101}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052120Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:27.444{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C9D794C3D559AD4CB9CAD5CB0CBA3C,SHA256=BB139E84730AE0091C0231775122D80B00C0AF95B271DAEFF393F6DE0279DBA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027673Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-655F-6140-B406-00000000F101}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027672Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027671Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027670Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027669Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027668Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027667Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027666Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027665Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027664Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027663Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-655F-6140-B406-00000000F101}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027662Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.569{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-655F-6140-B406-00000000F101}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027661Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:27.570{4A7D70D7-655F-6140-B406-00000000F101}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052121Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:28.444{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD437CBA8D14BC6D62884F732B0D5254,SHA256=BA06DDE4873394744F515F0B58E466EF4DD5341887C85E3E01E3EAE6C817FA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027676Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:28.647{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F9090E8CF469CF2ED7DD45D97DA73A,SHA256=9195E77A3E1BCDB70190A786A6A210FC68604A2175EB40E5B872B7C76380DF60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027675Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:24.812{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027674Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:28.085{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E793DB03AD32000BE50D386EAC7A1D,SHA256=53FB397280CAAE033CD23D14426DBA0BFE12EAF8F2B9B0071A769EF56F4F6A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052122Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:29.459{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3C3C5865B5385ED3AEC73A3F65407D,SHA256=0FBD7266C08797C74D3188DFBDE1DB783834076EFF9F18C32509CF3B2A6A9D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027677Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:29.147{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF063ABDE201ED4BA4AF6F295407265,SHA256=3CAD974CD87C670E4E3775158C6073021BC8AC3CE4B151EE91325ED818BD856F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052125Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:30.584{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6EE17D4681CEF149EC84039DAF52BC1,SHA256=ADAD063EA96E41AED9E6F8AF44817869C139DAB8C2CA6746D9EC1519B86836D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052124Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:30.584{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=003FC64A5199126157C85D611F7BB70F,SHA256=51CF5328EFFC1970783C02C5D1F66AAA62D1BC95A5EA7EE553849AA162734103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052123Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:30.475{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8118557DEE6C3D4CEA7AAA5D519D89,SHA256=B6ABCC3B69468235D412BAABAF66E650110BAA6983AD13CA018A39F087652F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027678Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:30.210{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D462EDB0EE9311298E2EB5B3905F6E8,SHA256=27AFAD1F13710FA96C7ECA11911FD331879D8A01AABBBAF4F69CA3F17EDEA26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027679Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:31.241{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9557B49C74AE8F4FD8BD5E9928A3E8B,SHA256=8A1F5BF57B7E1D194F7424FCA0FDE82FD5A602D3EDA18D5AD90D069B32ECC201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052127Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:31.506{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FB5D9B390B1663940236330F6C7C1F,SHA256=3BE5663CD24ED86897E4031002069C8CAB3DBA6A2FA2C885CD9B2517901F712C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052126Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:30.201{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53787-false10.0.1.12-8000- 23542300x800000000000000052128Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:32.522{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5970391896FCB471799C1FE7E8A6B10F,SHA256=2F16E5CE409C24A87E8C3FB2AC0D4D36313C11D0A5C9A2619753A3CDC11D1447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027680Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:32.272{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A740C916B3249369771E58C1A0B2B3,SHA256=6D4ED366BA9D639DE3A7CEC390FAEAFF3479A3B23EDFF041D6C854B60D37A228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052129Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:33.522{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDAD6A07E8511DB14C336892EE242DC,SHA256=9D4780AA2E6992C2CC284EE69D77A607EAA6AC35189597D936C07BA5DA946C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027681Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:33.288{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29142A8BF3686FA477EDD80862D9584,SHA256=A70E58C2CF58CEC5C0E862DB1CF466C8E8C0C8A8DADC86480BE0F2E8B03B2B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052130Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:34.522{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B327F9FBBCEA06D5ABC98063AD6E9FE,SHA256=0C762BB677FA6537BA8100BF60DD27BA1C90C7875F485BF0636EAE64824BC4D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027683Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:30.608{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027682Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:34.303{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A2825561E7603968A6A2CB990F092F,SHA256=EB36A3F54CCD43AC9E3A49E042D6CAB3EEAE2D51AEC21B52E4938558C01165B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027684Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:35.319{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3E6CCC04C87713E134A7F988A31C92,SHA256=108B5AFFF74F3451F8D925DAF229F48F1EE94F481BD8259BE933B7D3FCD951D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052131Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:35.522{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234320D1CE60FCBFF83F64B140958D33,SHA256=6E2CA4A5367E8FDD1272583C52B7C8AD13E1BCCA7E6F04401223808F1E759093,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052134Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:35.270{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53788-false10.0.1.12-8000- 23542300x800000000000000052133Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:36.533{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C296103467A34828D4F24C722385AED8,SHA256=975781052D3418A46488197EE834166ED45B0922F5D0DA8745050A5979C2ABD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027685Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:36.335{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F3B2841F715FBF14A632662DCBE91D,SHA256=781E36CF3EE7594F0426B9C3DA9706D74688466B70679A12F8CF61133B2D8FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052132Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:36.323{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-116MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052137Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:37.579{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5C821C090DD35183E05E189DF551AD,SHA256=1A1D57100B91BAF58A666695D9478AEF5AE92C6460ED4A11E6DF2E11539BC7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027686Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:37.366{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AD2A5BCDD3ADEBF30D592CD908356D,SHA256=FBD881B50179A4FAB8A1E09058E281E59AEBE51AFBF4D555BE036D36DA61012B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052136Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:37.332{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052135Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:37.268{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052139Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:37.370{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53789-false10.0.1.12-8089- 23542300x800000000000000052138Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:38.600{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D14796C8537E98086B7FF046F1AE7F,SHA256=B382B58199B8E54C23954810E4477BE4D54F77A5E044BA0D8DB75451D0A84717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027687Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:38.397{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB9F0EC7F1BA2CEDE9EE45289192343,SHA256=C6ABBBD028A4284C11C2262685710F54730A0FF3EDD7399FB6CE722AEEB1A00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052140Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:39.617{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8159FF29105BBE4627AA3EAF1096FBD2,SHA256=013AC3122F049420306045EFF915CEC0E7519DB6231D74D0504B0F1178FE1DCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027689Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:35.795{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027688Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:39.413{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4A91E55875D5513D9900681699908F,SHA256=6AF039272459435596B2A6C445C99E0C7898F9B29134A432BDC5275C08034C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052141Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:40.632{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5628ABCE9B5BD94F353AFA9631B057,SHA256=AC7ACC39C3CEC4CD1B098BEE3E20EA173A7412D4E04BEDD58732FD2DE8C4FC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027690Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:40.428{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAC45006BA8A4ED20613E8D4FE2C969,SHA256=E0B7CAAEF834EE76BA71DCA2CA67DCD432FB137A3684ADABB9A399EA2A205EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052142Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:41.648{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309CE9BB54F0D62CF54E13CBFCD5D0E0,SHA256=696B5AE4E90ACA7E40B144ABF468075C4BFEE71ABB974903FA13F07D11877004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027691Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:41.459{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEAD6006BF9EE1708FC7CE73B3D5D1F,SHA256=8B4B2CFD4D4D5E46078A7F12B0233CBDE535A7DF178BF8EAD53000C7D3D5F248,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052144Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:41.156{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53790-false10.0.1.12-8000- 23542300x800000000000000052143Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:42.648{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07864C1E18B2C6F46A9EC729C0A9307,SHA256=D27A5EC35B7A1FA86FE85C34B291681C8A98512A0FDD7F4DC10BEE0D5C9BE77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027692Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:42.475{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B0074ADC4E0B46437FEAE6C9E00A6B,SHA256=7B467AFB0C871732132F03DF16AC064A941C93637D79C2C1A65445BF957ADCAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052145Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:43.664{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273925EC63518007A1593767478E582A,SHA256=FB6363E501B1D794BE20453335EBB1436146E754AF8CEE29FA59C87D0EDB8240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027693Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:43.506{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0356324773FB837B843DD0C60D124E9,SHA256=735734A6D7A57AA17BA85A089EF7AAAC71AAD0CD0F27A5823E7C32DA8632BA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027694Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:44.756{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1470AC6D4F36A48EF643F6461ED17C0,SHA256=1E3FAA9A1DB02DEC533C3DE98E39E549117B8216BC22926F15EA69BD6CB75DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052146Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:44.679{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D76481582A814982622FA56DBC3DF9,SHA256=55C90A562A428F9E346484AAF87AD1B99BFC8AEE0E8BB1B857B7321CE9D041D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027695Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:45.910{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083D55465A08E23AB30DFDFD4C0518D1,SHA256=FFE6ACE2386749B52BF210AB5D576CA85424C1D97B858E4200421395656B9A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052147Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:45.691{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34E7EA0A593674B277AE0CE4C193DF0,SHA256=D95211825715FC535D14F4E624700552E6488F89CA46A8AF4A234DF29E825FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027697Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:46.911{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8E43F99D9A37BBDD65D5DD800D546A,SHA256=6E7D4DF6875D93AC27CDD9A8B6A46E3C12F6317E933C6797B8FCC6A479FB6442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052148Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:46.706{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70EDF0D638CAF6402840F3DE3847C14,SHA256=A2800C2356CE892EE9000CB6A0C58C9C65C9C322FECFAF940597BA3DDBC8D6D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027696Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:41.749{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 734700x800000000000000052160Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.847{C8F4C507-6573-6140-8009-00000000F001}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052159Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.847{C8F4C507-6573-6140-8009-00000000F001}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052158Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.833{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052157Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.833{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052156Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.833{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052155Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.833{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052154Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.833{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6573-6140-8009-00000000F001}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052153Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.833{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6573-6140-8009-00000000F001}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052152Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.833{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6573-6140-8009-00000000F001}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052151Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.582{C8F4C507-6573-6140-8009-00000000F001}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000052150Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:46.264{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53791-false10.0.1.12-8000- 23542300x800000000000000052149Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:47.706{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2398BD9CCBF378270A28D03710BB3B,SHA256=E2F30C575858FFB7DF03787CB53EB0561D1A1794ECD3A89E6C1FD2A0641F6885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027698Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:47.398{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-106MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052173Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.756{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C2197D80EB664458CC7E9CF1331F95,SHA256=7EDA67FB523B938D50B5EEFAA15CB08686E2ADEBAAC6105ACE7DF4F757784FD9,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000052172Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.739{C8F4C507-6574-6140-8109-00000000F001}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052171Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.739{C8F4C507-6574-6140-8109-00000000F001}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 23542300x800000000000000027700Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:48.412{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027699Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:48.067{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F923CEA790C4F171E2AF42B41D399A,SHA256=97533B102B866A07A69686299B48271D3CB6223EF19BC6914201AFFA25D0F22B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052170Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.723{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6574-6140-8109-00000000F001}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052169Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.706{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6574-6140-8109-00000000F001}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052168Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.706{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052167Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.706{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052166Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.706{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052165Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.706{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052164Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.706{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6574-6140-8109-00000000F001}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052163Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.473{C8F4C507-6574-6140-8109-00000000F001}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052162Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.630{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7FB46713164E88523BD23D97266785A,SHA256=42C2EA30B618EBCC7AA8BD9E54437746557066E5CDB471EAA71296F765D5E96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052161Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:48.614{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6EE17D4681CEF149EC84039DAF52BC1,SHA256=ADAD063EA96E41AED9E6F8AF44817869C139DAB8C2CA6746D9EC1519B86836D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052185Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.800{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58BE2931164473BED6E163AE4F1357F,SHA256=D2F139304783314142AB64964D151D5C31C5871A7657085ECF0646DA4C1D6FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027701Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:49.067{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB17D16E85C827E002C9021063A70C0,SHA256=7E4BF701397B5EFE1A28F2A344F02949CEA4F9AAF6DA8E3FE35A1BBCDAF77951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052184Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.644{C8F4C507-6575-6140-8209-00000000F001}5472304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000052183Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.425{C8F4C507-6575-6140-8209-00000000F001}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052182Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.425{C8F4C507-6575-6140-8209-00000000F001}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052181Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.410{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6575-6140-8209-00000000F001}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052180Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.410{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052179Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.410{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052178Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.410{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052177Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.410{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052176Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.410{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-6575-6140-8209-00000000F001}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052175Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.410{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6575-6140-8209-00000000F001}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052174Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:49.270{C8F4C507-6575-6140-8209-00000000F001}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052187Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:50.816{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDE4AAEC64FF915DB4413BCE91EFA24,SHA256=4EA80EA088988FD350CC841A3AD8EA484D8020C6141C83E63115B6C3CFC1209C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027703Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:47.684{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027702Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:50.067{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C702D11B459DB0BB7E2BBA758DBF232,SHA256=0F305BAB04A7AEF225EA59071CA759638D2A47B1CFE23DFBF3912CD8C542C5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052186Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:50.284{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7FB46713164E88523BD23D97266785A,SHA256=42C2EA30B618EBCC7AA8BD9E54437746557066E5CDB471EAA71296F765D5E96B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052205Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:50.792{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53792-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000052204Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:50.792{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53792-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 23542300x800000000000000052203Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.816{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32326181CBB9DE26873B2B241115B23,SHA256=84AA2320A29BE85AA2C74F2A651926E0D9D645F55AE2D84CF6E4B034E8EF222C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027704Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:51.083{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D286A2413EE14CECA92039641A5824E,SHA256=97EBEB364D2B50BAF3939EC4FA71F4C48A77E5663E1659E91B39C0E3A405AF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052202Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.706{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF3167AFF651D21D009BA860A34DE1F,SHA256=B6BBF8079B303E60515CC1CF97EB4A32AFF928E6C315441C036C5D02EA73A223,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052201Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.441{C8F4C507-6577-6140-8309-00000000F001}67964748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000052200Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.253{C8F4C507-6577-6140-8309-00000000F001}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052199Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.253{C8F4C507-6577-6140-8309-00000000F001}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052198Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.253{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6577-6140-8309-00000000F001}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052197Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.253{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052196Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.253{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052195Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.253{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052194Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.253{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052193Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.253{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6577-6140-8309-00000000F001}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052192Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.253{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6577-6140-8309-00000000F001}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052191Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.254{C8F4C507-6577-6140-8309-00000000F001}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052190Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.066{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052189Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.066{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052188Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:51.066{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4938-6140-1500-00000000F001}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000052227Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.863{C8F4C507-6578-6140-8509-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052226Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.863{C8F4C507-6578-6140-8509-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052225Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.863{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6578-6140-8509-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052224Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.863{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052223Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.863{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052222Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.863{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052221Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.863{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052220Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.863{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-6578-6140-8509-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052219Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.863{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6578-6140-8509-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052218Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.864{C8F4C507-6578-6140-8509-00000000F001}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052217Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.831{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D64040A532A7518E659D87B6F4958C7,SHA256=4D33B83909A1D9052CE569776A2DC13622ADB508AE715850CC05E9770C62E4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027705Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:52.098{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DC4D8A1954291EFCEB441CE87442DD,SHA256=FD9DDAF07C75802DA6F346B5232162082A64813D68877E094A063B70FA852B79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052216Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.581{C8F4C507-6578-6140-8409-00000000F001}48126800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000052215Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.363{C8F4C507-6578-6140-8409-00000000F001}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052214Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.363{C8F4C507-6578-6140-8409-00000000F001}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052213Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.363{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6578-6140-8409-00000000F001}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052212Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.363{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052211Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.363{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052210Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.363{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052209Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.363{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052208Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.363{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6578-6140-8409-00000000F001}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052207Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.363{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6578-6140-8409-00000000F001}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052206Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.364{C8F4C507-6578-6140-8409-00000000F001}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052240Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.831{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045C14C3D500DFE61E811D770202881F,SHA256=D3EBE9D5E39327450232E733EF7FF601A3DF2C1C483F72D3323C38FE4F6D6D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027706Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:53.098{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB4851A903E7B47B32E4ED4E1809E87,SHA256=119CB71FA2B61A54B26DFA6B69A5BAAEF3D22C9B8F69DA14F52326AD9EC9F4AA,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000052239Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.456{C8F4C507-6579-6140-8609-00000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052238Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.456{C8F4C507-6579-6140-8609-00000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052237Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.456{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-6579-6140-8609-00000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052236Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.456{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052235Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.456{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052234Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.456{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052233Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.456{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052232Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.456{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-6579-6140-8609-00000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052231Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.456{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-6579-6140-8609-00000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052230Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.457{C8F4C507-6579-6140-8609-00000000F001}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052229Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.378{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CF0100DAEC32F18A2E9ABEE14A4F517,SHA256=515EB86FB4C8FE5CB5E2F8F2429E96D093275AD34BA27CB293548FA4E2BED09D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052228Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:53.066{C8F4C507-6578-6140-8509-00000000F001}38723664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000052243Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:54.847{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203E6E07D7D7411685FCA37C24191C53,SHA256=EE2AF056A2FE595D0FCC1D31FA59109CA1F5FA2F8EDC860028DEE4F7C24D90A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027707Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:54.114{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD799DB5B27DA3A4682EF664DD09E8A3,SHA256=19C2ECF45A962B704D4E80997A083A6E4B92E4EC812A4698CFFE938073D91CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052242Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:54.472{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=880A9429FA33393D03E0F2D0B16AE78E,SHA256=AC263E6FFDF880B3326C5DDF19F18EE219B97F7627805EC6BC2C0EEFE13A3FD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052241Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:52.230{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53793-false10.0.1.12-8000- 23542300x800000000000000052244Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:55.863{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0B7C530A17E5E9235AAB14DE20BAFB,SHA256=EB81148B47C188ADC610C90D1679D023D706098FCE20B8466E0B79D12337ECD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027708Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:55.130{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B358BE73A8611AD66B87248307844B1C,SHA256=FFC0FC0EB6119AEEF9A6519191BB0693E2167C516C6CBB9CE67437A17A96D185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052245Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:56.878{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685454793CCB49C3CC4219F6EA9513C5,SHA256=7053F616162B7E172A26374E818911F3CA9D1C6CA1DB5DE60114B0C45DCF3143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027710Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:56.145{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4830AF18B9CFD7D84E7348E56BC7CD,SHA256=EFA5E3F44AC5C5EA66BF67649A01B6884D3BBC92A1D22C6E9983981CE66528F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027709Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:52.731{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000052246Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:57.909{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6795A552E2807B6F09FD81B6B97BDEC,SHA256=E6DCFC695DB10EBF442A03045D0F1473FB9AF34A43F255F211E9CFF8D535ACE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027711Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:57.161{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600367E4C8745BA032D22A9C3AB79104,SHA256=654A25A57F7395CA46EC4E752FC6EF0C8A9F84DB4CF3423BBF45899E4D064AE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052248Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:57.230{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53794-false10.0.1.12-8000- 23542300x800000000000000052247Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:03:58.925{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C257BE340C682E69F4A4219192B051,SHA256=310DE161DB2A86A66ACB329359B12BF838A6A41B8C445D32E9F804E5D1ACE1D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027712Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:58.177{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAF50A44D33ED297A1A35EADD37DE4F,SHA256=34048AD7CE26AFD44AD4705C1F452F2B88329703F186897401DBA5B7EFC8B5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027713Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:59.192{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAAECBF765D2EE4C97F0E65D1F1DE65A,SHA256=B063AD9418F1B14580B7B6E81732B7BCB5245478BB4A7E09623EE7AA31DEEAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027714Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:00.208{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F32F70CD9914D1A5711175A632A151A,SHA256=A5E4CD23F06532A49F764B7FD09B2E65AC3F16B5CD1EE1272131A773D6FEA383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052249Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:00.034{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8665010569761A5C200CC2A8D39F8FE,SHA256=5BF12583E2861817A6833FBAD59F029C5BE0F09F3EA1CCCFF1CDF042AEAC2606,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027716Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:03:57.747{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027715Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:01.223{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1320E2EEB46B3C4BC36DE99F44DB1B8,SHA256=F88D7163876AD5EC9D7D6DFFCA7F95C7A2095691C52B34886F031BB32FBA7C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052250Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:01.034{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15E38A919B8617AC92F05D430EDF081,SHA256=8ACAA4B5D132B1535DC9B90493C3FCA95C3F775AE909DCD2E6AB413E28A76220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052251Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:02.050{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA65C0667FA66F938A2C8A5F3D1E216E,SHA256=DFB9D6C71E5E270C24A2ED7D937B213F47AACF76F3DD375B9D47FB9F358638A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027718Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:02.692{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1B3C9957E85F40AEF444E005A3248768,SHA256=37C3F548FA16C529302CC5D4071FB7C7BF9D218E56EB5D852A21B3112B0B7424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027717Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:02.239{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CF628F45FDAE42FF47282D9EB4ABC0,SHA256=EBE40C0E192B954D0ACFE3E970BEBB66B0112CC76A949967C6D9D9F45430757F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052252Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:03.284{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77103ECD727E6928E5A5193C76C6B202,SHA256=A9E4FD59BD127644B4A99ADB27D408862A740A543420C00D27FF5567F46EEB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027719Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:03.239{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA5E0CD8D5CE754F4175C50399079AD,SHA256=49F460580FC8614C0C7765951441D3B1E8F1E19B42AE6417CF3743C35B15FBD3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000052257Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:04:04.956{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000052256Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:04:04.941{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\43184136-7950-4DFA-B6E0-270A84556376\Config SourceDWORD (0x00000001) 13241300x800000000000000052255Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-SetValue2021-09-14 09:04:04.941{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\43184136-7950-4DFA-B6E0-270A84556376\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_43184136-7950-4DFA-B6E0-270A84556376.XML 23542300x800000000000000052254Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:04.300{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D14653BD5BF88C3C50FA8B27E3618E7,SHA256=91E7D88457DA124FB1224C7129B28272B6A8CD93D6F6E49BC11620B569A5A375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027720Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:04.255{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33C8A6C8AD8C0A5CC5B79870D649A0B,SHA256=E732F7061897FA5BFBDC8DBBFFBF98D7449CC9073122E1D4E680E302828AFDB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052253Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:02.277{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53795-false10.0.1.12-8000- 23542300x800000000000000027721Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:05.258{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15917FFA89E4DAD763D7F1B1C3B4B9F,SHA256=9B0F3FDC38B9E7802DC6F5A2394D3D9451267583693CB4C64D557D729F9F890A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052260Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:05.977{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04110389BA993F5D082FF47DFCCD1280,SHA256=2039B84DCB87A47FDDDFD0D0DD8EAC9CD4952427815AEA2B538FC0FFB7AA6AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052259Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:05.977{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE2A6A3CDCCF027EC6D3E161B5F103D,SHA256=5E963B1CF51AA6C356FBE5C52D68E7A2AE7C7B0900B08413AF73817F468810E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052258Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:05.336{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A74D2CBFC75A6EDA778D14854785C4,SHA256=5B789F73222E47BD632D415002A38B03902D0CDE0652AF40758731A5C42352CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027723Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:03.719{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027722Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:06.289{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E559ECA8103E45926E7F36A4345D66,SHA256=DFAD8013845BC0C6782B52B49E9EE50623B354F0C89D2F87D8D80569EB0B9CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052265Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:06.352{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBC25EC9BEAA69034C29384ED4F73CD,SHA256=75610E120CC7527382C9018ED8367095F68EA6BF6443939A001977E86A4FBBB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052264Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:05.076{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local53797-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000052263Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:05.076{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local53797-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000052262Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:05.059{C8F4C507-4938-6140-0D00-00000000F001}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local53796-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local135epmap 354300x800000000000000052261Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:05.059{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local53796-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local135epmap 23542300x800000000000000027724Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:07.477{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03254ACEB0224840059D6D3EDF60A250,SHA256=A9E738F09B32450AC3012A06441D0ED25B77B50C0E0D73A686084B7C33A255AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052268Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:07.367{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C070EDDCACDFDFC3A5A4312530BE2786,SHA256=ED2B625EC9FD51F983CEA2035D251F7ED2911E8C601508790AF0668796554F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052267Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:05.084{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local53798-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 354300x800000000000000052266Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:05.084{C8F4C507-4948-6140-2F00-00000000F001}1620C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local53798-truefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local389ldap 23542300x800000000000000052269Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:08.414{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841BB351EE0D91D0FC7AB100434786E9,SHA256=DD3246A9A251F2181C6D0A7C4561D7CCD8A430BB9AA050D494E6EBA67B2F729F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027725Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:08.524{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8B1CB095D74A0259E964A98874AC33,SHA256=6B953F9E4FBBAC58482B9293B631F8995905F32274AFDD522A0E82CA1FC4BCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027726Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:09.586{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E992BB636150BC3EAF8882203757768,SHA256=8A8E99F9844E91711A54A2E99F3640E65CD6EFC8F0D314AA3C87DDBE505BB652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052271Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:09.414{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5353BB953CA43DE564DBEC02C3879081,SHA256=0FEEA434BF5DC64025443D26EC193FC573C4E65138BC27884ECB6147620D9D3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052270Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:07.328{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53799-false10.0.1.12-8000- 23542300x800000000000000027727Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:10.617{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B485DA068357CCC7908BD19878603,SHA256=A00A89250B4AD367669DF8DD55C4C009DA6487ED1D4A19EB11A6354393E9ECD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052272Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:10.430{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BEDAF714E68856D2A510D5FA893F7A,SHA256=C1DD35F355F42E583882BD68FF58F97C42A7B177F73B74B2D3357F3D574E5759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027729Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:11.867{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027728Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:11.649{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF1EAFC6D73E40592C777F6E3F9BD6E,SHA256=3E9D403C3B0F2302D89E26C91D7C8D7F048B062CED1CAA0D5EDE528ECC808B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052304Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.586{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585E16082254FA5BEA67B15C36122F28,SHA256=BFD9CA0AD57888D8454158B37EFAF819ABCD586F53BA4B2F8CF11C7773884245,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052303Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052302Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052301Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C94-6140-CC07-00000000F001}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052300Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052299Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052298Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052297Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052296Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052295Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052294Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052293Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052292Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052291Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052290Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052289Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052288Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052287Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052286Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052285Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052284Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052283Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052282Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052281Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C87-6140-B607-00000000F001}3372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052280Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052279Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052278Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052277Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052276Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052275Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052274Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052273Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:11.336{C8F4C507-4938-6140-0D00-00000000F001}904924C:\Windows\system32\svchost.exe{C8F4C507-5C93-6140-CB07-00000000F001}5092C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027731Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:12.680{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98634B50C7AEEBBC1AB84353D52B535B,SHA256=0163646D266F4D01F892E79DF9492773F5159C480840A2F9C94BB09DF362467D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052305Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:12.617{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C6A7BCA9CA53B690936F76CD9B3738,SHA256=789FB2EF7F667F040E785EE33329FEF7EE3EC5307E5392ED63054F13489C7E13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027730Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:08.813{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000052306Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:13.664{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAD1DB70B3A1EF334AD4BB96262A3BA,SHA256=D1FBE6EE7C41E163822C2251674E5D0127C9F0416CBB27E02D12549738ED024E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027733Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:13.727{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BA84E69ECAC5191BDEBBD498AE6A08,SHA256=90AD0903E901A5A3352937424C91516440AF9F83D5D08D42D0382FF95084ABC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027732Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:10.406{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000052307Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:14.680{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C07D4715CB25C5DD0003E16EA26B8FF,SHA256=98083C97FC48A30EF62EB8ADE2B6C44B3983DAD286076019BF96B328438D09AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027734Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:14.758{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3657BB4FB885AD6AFC2A9C736C0EF8C4,SHA256=F89EB0DB4A2A09155100A80067EEA77BF905795750D34E8C800C187F55C38FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027735Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:15.774{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F081D3B7579F34BCE604B1744F200C5,SHA256=280DAFACC6595219338B4114BF2AF00AC50E5CDE126094F1A0D13B232774D792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052309Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:15.727{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA0E0244D395D52C38A9027FD4F0F96,SHA256=299AAD25BA3B1B8EA6CB7753EDABF4A3BCE56ECE813C90880BEC5A2761995C0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052308Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:13.250{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53800-false10.0.1.12-8000- 23542300x800000000000000027736Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:16.805{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0668A9B0E22328BC9A702514A078A5A8,SHA256=DB63864A99FC7C7CC5BA0BF210E7FFD87328130FD82DC78ACD2FF4A4253EEEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052310Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:16.742{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4317A51DF2831F61C6F9B5F24840AC7C,SHA256=16E6C74D99F075A4710694E49276F23FADCFB2A7B79DCB60AC1A15954C3A99D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052311Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:17.758{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E14FBDE3B7DFAADB822D82EDC905BD7,SHA256=9F24A514474954B0320D2CB91A6B4F22422E2DDA9E5CEA870E33A9C872153929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027738Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:17.836{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A538F89791D85B2D7DFFD9C1E244A1F0,SHA256=CB42DAAE1C5C5C5BB39E2E305DF4E48A23310C0749A3341A9E2EC25D394CAE6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027737Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:14.750{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000052312Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:18.805{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0001B68C3E935FE8D5F9D74B1026BEB,SHA256=90531FB0B2DEFD28553FC5F249C60745C3EACDBC7FD6AFB109B959ED2CF06AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027739Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:18.836{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BB086335DE1F3CA07DF493E90C4E9C,SHA256=4DFDC6AA1D356EBD59519A79DE50F72467CE0808A13A2AAACECD0DA20EC66DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052313Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:19.820{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5063BA58489FC67FFFF83C66A268D890,SHA256=498B49255D70003701CE3916367C60B970F7C9602837C0182A89BBC96BB07510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027740Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:19.852{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5332E78B69688F68A352ABBD2E6941,SHA256=A05778186C1D93C1F6A5F3464B39FAF78CF183B3FE9599922A47B9AFF03DB658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027741Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:20.883{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670898D72ECF914B87F8001EC5DA63A7,SHA256=054584D425702617E2C86278CBA862A4D90F14CC2C382D4F85EF7A9CC46C04D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052315Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:20.820{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6A92536DF7BB9B43B4E1071F3A39FE,SHA256=5B93D745CD9314D37A5924F8827F0FDBA4821D14BEDB8DB0D007A4A2A1AB9C3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052314Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:18.312{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53801-false10.0.1.12-8000- 23542300x800000000000000027742Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:21.930{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB8E230B6B26827D534E5FD5EC6668C,SHA256=2F227170309CCB421606F88207F0B6547292D4EEDA98F74108EF7143D1A35424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052317Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:21.836{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71295426162BE346E1CED9CBD3BE68F5,SHA256=0C9DE9DA46E2786316A1D4A2B831932AE3DEE5A3C106324B05595F58C6CF9140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052316Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:21.242{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3A2A8986C4671CF3B67924142234B51B,SHA256=F96E02F268862F07D2B4644DC74D5972A1EB9EC410A4458601454634258DE7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052318Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:22.867{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1BC45BB28617D14F8D2E9CA38D8CE7,SHA256=42E59454C2BAA525D76BD9E404FBB49E78AF108D03DFDB293DA25DEBAB2F57E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027769Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6596-6140-B606-00000000F101}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027768Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027767Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027766Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027765Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027764Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027763Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027762Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027761Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027760Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027759Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6596-6140-B606-00000000F101}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027758Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.821{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6596-6140-B606-00000000F101}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027757Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.822{4A7D70D7-6596-6140-B606-00000000F101}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027756Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.336{4A7D70D7-6596-6140-B506-00000000F101}33602612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027755Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6596-6140-B506-00000000F101}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027754Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027753Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027752Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027751Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027750Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027749Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027748Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027747Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027746Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027745Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-6596-6140-B506-00000000F101}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027744Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6596-6140-B506-00000000F101}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027743Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:22.149{4A7D70D7-6596-6140-B506-00000000F101}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052319Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:23.867{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6CBBF9B9285CF4BC402BA706B86711,SHA256=909DECB21DC883D8371CA85E0A161822201F483831DA57D53DB0115C6E921EDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027785Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6597-6140-B706-00000000F101}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027784Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027783Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027782Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027781Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027780Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027779Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027778Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027777Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027776Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027775Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-6597-6140-B706-00000000F101}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027774Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6597-6140-B706-00000000F101}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027773Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1D0ABE8F5D0A1581BF91AAE9C2C0FB,SHA256=D5F622B12415A1F83811F3A22137FA6A9ADD62C586770A1FCCA12A02942A2354,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000027772Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.403{4A7D70D7-6597-6140-B706-00000000F101}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027771Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE97A781A6F3F31E645BCAC9C0BEF575,SHA256=DCA187098AEF97E461F9299C65580E37726554124EB1DD8BD68B515ADC375608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027770Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:23.400{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49B4DC0888E53A7B722DBA1430CF9DEA,SHA256=5E9F77C6D2AB2A750F77FF9C0C1172351911834F04E1BAA627323B3209094EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052320Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:24.898{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E297954CF7487F22F8DD58404668703E,SHA256=0F1BB4A4E7D88298EC9E5C68E6FE374885C34F5E33A90F03B7A6771B9B905856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027788Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:24.477{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1D0ABE8F5D0A1581BF91AAE9C2C0FB,SHA256=D5F622B12415A1F83811F3A22137FA6A9ADD62C586770A1FCCA12A02942A2354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027787Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:24.446{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07076E038E8821D32CA5983086BE4E8,SHA256=CD5D9D9FECEC646437988190D5D82445B38E8C5589D8FDFF19E09627AC9F0034,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027786Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:20.625{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000052322Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:25.917{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A2262128FFCD4E8B7DEC0D52AAFC84,SHA256=DBEF1922E223E0484F2699AB64C87C6585E1D9422DCA180370825F8A7A7B3C1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027803Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.589{4A7D70D7-6599-6140-B806-00000000F101}17002424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027802Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-6599-6140-B806-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027801Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098F98429449F33C656FC29B5C71C0AE,SHA256=CE4D071BD2EE32EE3D44DE03004B57C69F50C1D4E9D56FD43C569F8F8B26B7F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027800Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027799Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027798Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027797Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027796Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027795Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027794Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027793Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027792Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027791Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-6599-6140-B806-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027790Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.448{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-6599-6140-B806-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027789Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.449{4A7D70D7-6599-6140-B806-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000052321Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:24.312{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53802-false10.0.1.12-8000- 23542300x800000000000000052323Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:26.932{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA9950B3BCDE572D7234AF91E614400,SHA256=BBC19DAA8BDABA6A2D4123AD4D66C625D7F423D964994FA7F6DFD53DB88D007F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027833Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.948{4A7D70D7-659A-6140-BA06-00000000F101}30323356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027832Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.839{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3DD4D0C5939FBF2A80F804D458F152,SHA256=57A86271E8D2F9FDAD2C570AB306776A60BA69340934882D425981C4AF8A87CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027831Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.839{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6358571CD6756585C4FCD0F16874D64,SHA256=344FA7AF1A141E48FDC2C896B70EC243B574C598E7C6E93506CD37125EDFFD73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027830Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-659A-6140-BA06-00000000F101}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027829Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027828Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027827Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027826Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027825Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027824Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027823Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027822Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027821Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027820Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-659A-6140-BA06-00000000F101}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027819Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.792{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-659A-6140-BA06-00000000F101}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027818Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.793{4A7D70D7-659A-6140-BA06-00000000F101}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027817Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.308{4A7D70D7-659A-6140-B906-00000000F101}4241984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027816Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-659A-6140-B906-00000000F101}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027815Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027814Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027813Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027812Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027811Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027810Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027809Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027808Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027807Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027806Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-659A-6140-B906-00000000F101}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027805Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.120{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-659A-6140-B906-00000000F101}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027804Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:26.121{4A7D70D7-659A-6140-B906-00000000F101}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052324Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:27.932{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB8F14BB8D806B37572F4FD18876DB7,SHA256=C31FBF69865739E8ECD58F23AD027FBD76F172C2F938172B9E142888525DA346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027848Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.980{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A93E3968564B53BFD1F0EC980692A02,SHA256=8DB3A8570578798B58372996A9C086987C484F34F5AEEEC69A96EEF3849DB71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027847Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.839{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF89FB966C33F4DB19C2AFB3E2288F96,SHA256=110D9F1FF463F3F9A53649908363E30E943AD313A5AE7A4B4FD050676586CE98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027846Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-659B-6140-BB06-00000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027845Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027844Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027843Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027842Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027841Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027840Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027839Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027838Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027837Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027836Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-659B-6140-BB06-00000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027835Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.573{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-659B-6140-BB06-00000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027834Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:27.574{4A7D70D7-659B-6140-BB06-00000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027850Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:25.753{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027849Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:28.933{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F7F5B1A4382BF7215D98989AAB7470,SHA256=2B51DF41B087A405D4C1F54776AF97A51159F2394CEA8189494380B5AF1C18E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052325Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:28.932{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6406755225991D0E2B4A5895B28802,SHA256=84083361E94A52941710743443664A678BD4F88B7E660399F422EF2A64AF69E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052326Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:29.948{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838FFE93628F872A48E42BCBFD3F4601,SHA256=340CFE53272C45C4942A07745428542147932152D734EDFFD3F67C2DE5DEE4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052327Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:30.964{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52B00DA6C64B6D2008F7F24874F1678,SHA256=55DA53178D3DA4818B252276EAED7F1E273FF563CADA954238227C9441A50E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027851Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:30.058{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579E0C6AB183346814211048ADF72D06,SHA256=0A22FC91993ABE914AC4931751C0B49B0FEF8FD57C805AA76F7D2D44EEA36089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052328Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:31.979{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30142C7AAE38F865244A2FB8A86ADDBF,SHA256=ADB2F136DF5B549B0782DD624463004650ABC1A1AE653A831713356EEF10B4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027852Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:31.151{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213B6488EF1421F75399E712D880A2F4,SHA256=0CEF1833DE72F43E55311A7ED25639FAEB7082DC326C93DEBDE154A8351E0F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052330Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:32.995{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E0E67E5C9CDB60D73F5671DD46A9B3,SHA256=1CD1392103C9700DF355F25D62BDB5A42A339346D37A105468AF0EE1796139E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027853Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:32.386{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C3A8784C29AD34D0663D8B8FF6D858,SHA256=2E9E1FD3ED22998BBBE626397F327C2C9E8A72BD5CD429DF2FE82B74EC0D8174,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052329Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:30.284{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53803-false10.0.1.12-8000- 23542300x800000000000000027854Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:33.464{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D87EAD3CD75B44A43E801457866C4C8,SHA256=F00176D45AF18CE95005DBF0F69DEDD170B8B72E13B9123D80F82D14FF5FB5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027855Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:34.480{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E297262A55C57BA06714EA52043997B,SHA256=8D4E3C5CFDA29768CC6E7D340EF129145B8E5CDB3076C99EA6C68829DDDCB1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052331Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:34.042{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCB2F59D3C73C15BBB8281FF13BF201,SHA256=22975B474CDA8EA44AEE03E4E1615C30A1159110C55EBE53EB5DB1ACE1C51D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027857Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:35.698{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0189ECB9C092ACC0458A150ABEE8ECB,SHA256=CBE19651E2037BF1F14A5CCB45C9C4D6EF912DC515F7D636975FFD38334CCC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052332Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:35.057{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE453DF9921AC8D97809ABB3C386D211,SHA256=2F1BAC1022DA591D1F62D30D7BB7B1FB9CF65D2D3A190781CEF23470244ADAE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027856Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:31.675{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027858Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:36.698{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0799990B13CA2969EC887BE69A3A655C,SHA256=462F6FECD9C546CF1958F4D0A85F227E921CB9B43AF46C7A54141C9CB4DA5221,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052334Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:35.316{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53804-false10.0.1.12-8000- 23542300x800000000000000052333Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:36.057{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0CBEC5CD47B47431983F64C51B1000,SHA256=C70CD76EA58514DC578CD930655A3DCF71D9A992D80DDBB9FC18D6291688DF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027859Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:37.714{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDA91C39396EBD7EC839C0552D78F76,SHA256=26238F29E435BE790F903931EC5CC43E7A3BABC6FB0C60FDC9145E4F5F02747B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052337Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:37.861{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\respondent-20210914070338-117MD5=444213A5E4761AD14A80FA7E47991D82,SHA256=0DBDB8A4E56CED56EF8E5BF7E0DBD8D08A5C60B4FE09EE301DC946EF89962DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052336Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:37.292{C8F4C507-4948-6140-2D00-00000000F001}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052335Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:37.073{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3DEE56A68F197AD1F1ED106395E4FF,SHA256=3631A7C449518A7F597CD969D112756F6092AE32284D58578783E50F1DE0C79E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027860Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:38.729{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F37D8F62F201114760A55E6C063DC8,SHA256=56688EDCD368CC0E41BC8D049EBC7418B360B368A33258BD49157DEE8F94F785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052340Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:38.860{C8F4C507-4948-6140-2A00-00000000F001}2916NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0477d517a1c234eb8\channels\health\surveyor-20210914070336-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052339Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:37.393{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53805-false10.0.1.12-8089- 23542300x800000000000000052338Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:38.077{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460885CA831DA164E2EF813137068F87,SHA256=3274F4B443CD5A1FA9E8DF439FF75756C3DAD25545191A340EB3F09D0833E479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027861Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:39.729{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022FB59465BBB290547B2AECAD7816F4,SHA256=3D073BE55C2F61E5E3D1B6217EA1544E83D09E4324B7939F20241C4DB898BBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052341Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:39.138{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B390BDECA829A2CED318D16DC768A3EC,SHA256=E18271102F87D776115EADB3F25C4EE3AF46066CAC68B63AE75CB68C73B95FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027862Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:40.745{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A01501A589FEE0C6821937146D82EF3,SHA256=5F018302D19DBDFB8862081538DF0DA37A7E1820BCAB751763F5CE478FA034A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052342Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:40.142{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F10E4057387471253A545C5D58AF99,SHA256=A4F9ED13CCE934491C0E4B27910FF5B22C808025D4DFEEA3D820078060AA1659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027864Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:41.761{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31ACA72A236CEC274426BF9B6FE5CAB,SHA256=FD7290F75F0D238661433AE15D0D7DCF1182E9AE62795A7FE841D3F37BD5B2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052343Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:41.142{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80545411CF2A3E298D6DA8D067E06847,SHA256=DA5EB9930D6236D0F963C56453C8254C9C1C53BF3048F6C545FC94B8746C07A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027863Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:37.659{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027865Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:42.776{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FB8351CB055453DBAA4BE01C2E6840,SHA256=800FEABA24CF6A064373D41BCDD0E38F33CFBA315394917205591FFD532C1F5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052345Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:41.290{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53806-false10.0.1.12-8000- 23542300x800000000000000052344Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:42.189{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B973DFFBB2AD5C64F06656BD04C62AD,SHA256=94D32836251A175E81D88EE6A13AC0375419F33DB29E01AAA7B1AC6C33275461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027866Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:43.792{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983A21DEC7EEAC7B6F5255C6DA349099,SHA256=1357E67F945703D729D7BB23B66978C150E8BE65933D2F4D4D3EB55E426D04FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052346Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:43.204{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5A0D60BB241EFE31A302E8C3ECB234,SHA256=30F2B8ABFE9FBEC8470F7104FBF0456AB015DFDF1E33BC134999F2871D9E8369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027867Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:44.808{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E324A7B39F441AC978224EB059B1223,SHA256=25EEDA08F7E9EFA720C7EBE7CE0B2AC299134E5CA1DB00FC90BC9ECF75E57F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052347Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:44.267{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF18FB1F6F6986FED10F4CB441B19EE,SHA256=0790BA83AFA79CA485F807586B4FE8C25B649262D37F94FAEA66897E375C55CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027868Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:45.809{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1777ED7816479B895D31321D53FECBFA,SHA256=3EC1211B0B3809D57E7203E49163B94B4F9DC2BADB2575E7C820E5E01E9197A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052348Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:45.309{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B5F9979EB17A38F503C1F550AEFDAB,SHA256=C0F9643CCC2AE091A45AA876182B3459071C97044FBB6529B906D8888C720AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027870Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:46.825{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2430A0C413874AB06BF175E01A3892E4,SHA256=08177B32A12373D93219F4409386087E542697D010BF8C43CEAC83BC85826DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052349Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:46.309{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCEAE036F5F05CC9F44F34D23BF26ED,SHA256=ED89C5F527AFB9EBA82F70073CBF39B7CF451C2F846469C4CA04D844349A2761,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027869Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:43.690{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027871Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:47.840{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7855D5ABB8EBCAFEC17A6C2694221C3D,SHA256=0F26406B49CE1F4384B5114DC9A66E0C1688FC8F3A966B99CFBFA9B8613580FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052361Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.809{C8F4C507-65AF-6140-8709-00000000F001}71525836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000052360Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-65AF-6140-8709-00000000F001}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052359Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-65AF-6140-8709-00000000F001}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052358Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-65AF-6140-8709-00000000F001}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052357Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052356Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052355Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052354Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052353Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-65AF-6140-8709-00000000F001}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052352Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-65AF-6140-8709-00000000F001}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052351Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.575{C8F4C507-65AF-6140-8709-00000000F001}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052350Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:47.340{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78E856DB5B902093CA24A6A71994010,SHA256=F2B6954520A4A5123A8FAF889278773E1BD92AD699032981EB0AE677E4593BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027873Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:48.937{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\respondent-20210914071403-107MD5=6BC7EA00CD47C1D6CBA9803B46ADA0B9,SHA256=8A1C236148BFDB262F48F4DC65B8BF7ED103820369A4D475048D55288754A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027872Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:48.856{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A3E1BB079C2F51B16648452B0ECBD6,SHA256=0ED75BC30BF5A0B4BA4326681125A12CDEDF4EE2811BE64FB1A8A19093232E83,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000052385Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.731{C8F4C507-65B0-6140-8909-00000000F001}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052384Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.731{C8F4C507-65B0-6140-8909-00000000F001}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052383Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.731{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-65B0-6140-8909-00000000F001}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052382Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.731{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052381Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.731{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052380Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.731{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052379Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.731{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052378Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.731{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-65B0-6140-8909-00000000F001}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052377Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.731{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-65B0-6140-8909-00000000F001}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052376Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.732{C8F4C507-65B0-6140-8909-00000000F001}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052375Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.653{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597BACD8EA20969CF998CC16E7FAF40D,SHA256=11F5F19FC6479B2587C58780072646A943D6DBBECDE022226B39717E99ADDE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052374Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.653{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04110389BA993F5D082FF47DFCCD1280,SHA256=2039B84DCB87A47FDDDFD0D0DD8EAC9CD4952427815AEA2B538FC0FFB7AA6AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052373Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.371{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D709542914B107C6CD79FEA1BB9100ED,SHA256=6542296BFA30F25B325DACB1BE3B437F31114CCE1ADBFF71BF7DB4F0306A8AD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052372Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:46.348{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53807-false10.0.1.12-8000- 734700x800000000000000052371Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.075{C8F4C507-65B0-6140-8809-00000000F001}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052370Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.075{C8F4C507-65B0-6140-8809-00000000F001}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052369Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.075{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-65B0-6140-8809-00000000F001}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052368Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.075{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052367Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.075{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052366Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.075{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052365Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.075{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052364Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.075{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-65B0-6140-8809-00000000F001}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052363Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.075{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-65B0-6140-8809-00000000F001}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052362Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:48.076{C8F4C507-65B0-6140-8809-00000000F001}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027875Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:49.947{4A7D70D7-4BB9-6140-1E00-00000000F101}1200NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048c9ce0a14d8581d\channels\health\surveyor-20210914071401-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027874Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:49.868{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EF796402AABB77BF335DD7C19FA8BA,SHA256=692724F4064209FC2DA9EB1F75EF998C946B21946332EDB18C6A876BA1775124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052388Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:49.778{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597BACD8EA20969CF998CC16E7FAF40D,SHA256=11F5F19FC6479B2587C58780072646A943D6DBBECDE022226B39717E99ADDE4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052387Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:49.403{C8F4C507-6533-6140-6C09-00000000F001}70881444C:\Windows\servicing\TrustedInstaller.exe{C8F4C507-6533-6140-6D09-00000000F001}4492C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+7d358|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000052386Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:49.371{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610CAD46D311BE8DAAC275FC125D3357,SHA256=531FC66D9C8FAC8A4785648792E1DE31182FEE1C41BE89D97C82D190FC5BB186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027876Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:50.869{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733DB3BEA096061247F50C731C59A2A5,SHA256=963BD300FB9EDD5C65D5FA2B07FAB28152C3632AEF9B663F8D5CFF39417A9917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052391Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:50.418{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C7967DF4898423DAFD706202BAE615C5,SHA256=829F13D74AD2E271B3D6683CE1725280BA4EF79F627690857E08BCD07DD88B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052390Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:50.418{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3ADD61F5F92359C46A6D0E65B8491A53,SHA256=CC2FAEB42D2E064E7ACFEC730CAD2A60E3D204A63BAD71DDFD934C19EDD48ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052389Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:50.387{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC26D02A00D73794C3F2977670A2D583,SHA256=0CAFB3BB9C91F761941C33C69046A23D0B6E637EC1B6254D44DEE46BDFC6EDD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027877Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:51.885{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C182899FB5ABBA60B4ED0BDACD2144DE,SHA256=AEC40CC47477461A92837F61645DDD26F7536DC8127BC7B22B6D451401B3BEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052404Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.903{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FA2CD6B9E7F8A59352B237B5D8CA5F8,SHA256=71F250A75A42EFB7D8A7AC522CB8C43A55F593045CDB7417BDE0D8D90DBBAE0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052403Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.450{C8F4C507-65B3-6140-8A09-00000000F001}54365892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000052402Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.390{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E1487549664E0E14038C5C029AB80C,SHA256=661459D58D6A53B26BDAE1AD1FAA526ABF6A49E5A5773B42BC54748D515E2802,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000052401Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.262{C8F4C507-65B3-6140-8A09-00000000F001}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052400Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.262{C8F4C507-65B3-6140-8A09-00000000F001}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052399Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.262{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-65B3-6140-8A09-00000000F001}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052398Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.262{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052397Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.262{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052396Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.262{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052395Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.262{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052394Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.262{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-65B3-6140-8A09-00000000F001}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052393Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.262{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-65B3-6140-8A09-00000000F001}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052392Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:51.263{C8F4C507-65B3-6140-8A09-00000000F001}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027879Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:52.900{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83649CC1F7742275113223963DB94EFE,SHA256=62458CABEC6FF6135F215DA94DB28A76F047A9923E6115FAED950B9972A4E701,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052419Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.996{C8F4C507-4938-6140-0D00-00000000F001}9043476C:\Windows\system32\svchost.exe{C8F4C507-5C85-6140-AA07-00000000F001}3848C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052418Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.559{C8F4C507-65B4-6140-8B09-00000000F001}67646624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000052417Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.403{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00909E4BE4D9166B80AE449EE460EACD,SHA256=2FB363F3C4C04A0C281CF8748F63FAA30E1F409C66F4BE1DC4958B4B7E3CBA4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027878Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:49.626{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51076-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 734700x800000000000000052416Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.371{C8F4C507-65B4-6140-8B09-00000000F001}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052415Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.371{C8F4C507-65B4-6140-8B09-00000000F001}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052414Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.371{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-65B4-6140-8B09-00000000F001}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052413Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.371{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052412Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.371{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052411Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.371{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052410Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.371{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052409Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.371{C8F4C507-4936-6140-0500-00000000F001}41696C:\Windows\system32\csrss.exe{C8F4C507-65B4-6140-8B09-00000000F001}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052408Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.371{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-65B4-6140-8B09-00000000F001}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052407Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.372{C8F4C507-65B4-6140-8B09-00000000F001}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000052406Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:50.801{C8F4C507-4936-6140-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53808-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 354300x800000000000000052405Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:50.801{C8F4C507-4948-6140-2700-00000000F001}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-158.attackrange.local53808-true0:0:0:0:0:0:0:1win-dc-158.attackrange.local389ldap 23542300x800000000000000027880Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:53.916{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC60C7FC8437B911D36F89CDB8D6A358,SHA256=32E958D6A95708184211E88B8C92C3CFD6061C8C4FE0EA552414C42637DD0AB0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000052442Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.715{C8F4C507-65B5-6140-8D09-00000000F001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052441Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.715{C8F4C507-65B5-6140-8D09-00000000F001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052440Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.715{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-65B5-6140-8D09-00000000F001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052439Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.715{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052438Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.715{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052437Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.715{C8F4C507-4936-6140-0500-00000000F001}416532C:\Windows\system32\csrss.exe{C8F4C507-65B5-6140-8D09-00000000F001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052436Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.715{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052435Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.715{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052434Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.715{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-65B5-6140-8D09-00000000F001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052433Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.717{C8F4C507-65B5-6140-8D09-00000000F001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052432Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.434{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715A3A05E7217D551DFA46EA8098962D,SHA256=600ADE8039FD907A5F079C06E28A2FA91807B4DD8B4B462D6C2D99EE02D8C57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052431Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.387{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8AF990FF58315B09C17FDB9AE945759,SHA256=3B25447043E7DFF0071C83E9968658E06CBB4BC98D58DFEF2389B40CFC06C096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052430Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.231{C8F4C507-65B5-6140-8C09-00000000F001}59486736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000052429Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.043{C8F4C507-65B5-6140-8C09-00000000F001}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000052428Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.043{C8F4C507-65B5-6140-8C09-00000000F001}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x800000000000000052427Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.043{C8F4C507-4949-6140-3700-00000000F001}33563376C:\Windows\system32\conhost.exe{C8F4C507-65B5-6140-8C09-00000000F001}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052426Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.043{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052425Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.043{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052424Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.043{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052423Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.043{C8F4C507-4937-6140-0C00-00000000F001}848660C:\Windows\system32\svchost.exe{C8F4C507-4948-6140-2900-00000000F001}2892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052422Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.043{C8F4C507-4936-6140-0500-00000000F001}416432C:\Windows\system32\csrss.exe{C8F4C507-65B5-6140-8C09-00000000F001}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000052421Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.043{C8F4C507-4948-6140-2D00-00000000F001}29603456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8F4C507-65B5-6140-8C09-00000000F001}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000052420Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:53.044{C8F4C507-65B5-6140-8C09-00000000F001}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8F4C507-4936-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8F4C507-4948-6140-2D00-00000000F001}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027881Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:54.932{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC8488D6E52119F1AD75D110C4989EC,SHA256=88FA71C18EFFB03BD589D23F16326184FA85D721F3721DB49AB31073BD402572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052445Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:54.746{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19981E90C7DA16650F06786293D087CF,SHA256=E5291B12DF500E9038788F0A2C73AEF7C47B62632961FC55369C3F682A3A13FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052444Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:54.450{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56ED1968D7E14183186D2B9E5790568,SHA256=C472794023A09C2DE37214B7DD7AC69652A151ACA842AAA2E5DC446834F7C02F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052443Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:52.363{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53809-false10.0.1.12-8000- 23542300x800000000000000027882Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:55.947{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D7ABF2E178EB6F5337DBE73C66579F,SHA256=D0FCFE8D96252522A386228DD0D8C8C7FE0B506F6B9CC9D2FDAB1F1E3BAC5621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052446Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:55.450{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE7A406C6257E6B1BDD416DF4A48C62,SHA256=593A80F62532B7506EBC6FA5834DE63BF390F7A28274CF5BADB36E05B289B8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027883Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:56.963{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836406FFA423D350EBE1320EA8394872,SHA256=B93F3A5E4D405ECEFACE816DB12FC9B6B49B182CA5D11400C158E083119A4664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052447Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:56.450{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B37A1850DEA55D3F075FFCE95FAFF8F,SHA256=DA72082D976EE71128A24110DD6B7A25CB2107D144FADDCA90F0036B35AFC901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027884Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:57.978{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A729AA111A8AC8C8FCB14402EE0E553,SHA256=7E47C835DB8296D6925946E0F043CFC3DD9C95AD039E54B331B65ED956915B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052448Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:57.465{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E791D2A8321D68954AC059F823C3414,SHA256=A69A310489D5727AB5A8991961E40D76F9D55F70DE10790E158BE00C970D54BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027886Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:58.994{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3CB7D2D4279564346B6EB829775268,SHA256=4145AC817E90072404CD1D6C9F70D601186F33252C1EF0C4E976F306EF046EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052449Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:58.481{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8556FA3C51C2ED8108ED2B97AE6AD5DD,SHA256=678178CE130F1C1F022CF1AFD148A4C5EE376FCBFD5F2082EFBE2E16249748C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027885Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:54.767{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027887Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:59.994{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A62DABF0D19EF6992593199CA15235E,SHA256=8A49CFC689D460E2C763FAAF7602411563CE980134D11BE9B4DE340DC032FD4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052450Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:59.497{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F077795A5E156483AC57F45DC694A7A,SHA256=3A0A662CCB78F3823529C631FBD0E791B86688B93A2E5CD1753ACB8077348EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052452Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:00.512{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684A75034ECD683DB3FDFE23681E9876,SHA256=599B99EE641B4F6B20845C9D7E62CFAC6DAB96CBEC0BA780E7FED6091B357DA4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027888Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-SetValue2021-09-14 09:05:00.025{4A7D70D7-4BB8-6140-1100-00000000F101}984C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a947-0x98b17add) 354300x800000000000000052451Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:04:58.379{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53810-false10.0.1.12-8000- 23542300x800000000000000052453Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:01.528{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDA9D83AB19F5090AE450CFCA686E03,SHA256=101BB81A388AB0645398922F73374615AC850BA01C975A2EC2D1326B3AB27DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027889Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:01.010{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EA01E0D89BE016C56716BA8F813D63,SHA256=DAD30C8D1B6C60D37764B2A7DDB24E8AEFE7D33C4D834113BF5FC38BDD95CA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052454Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:02.543{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F432F07DC387565DFA2A7164296584E1,SHA256=F2BBCB3C3CCDB19BB8F49E7AD84970B091CFE3FFE0B10336F4B0546922228D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027892Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:02.697{4A7D70D7-4BB8-6140-1300-00000000F101}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2EEAE76D770395F2A99608E8E7739765,SHA256=30C6D32AD6D428539910408F8027A4A835ECE7B048A47E3E6AFEAE5CB4DC6C60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027891Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:04:58.563{4A7D70D7-4BB8-6140-1100-00000000F101}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-574.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000027890Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:02.025{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2576A73F79383EA75BD96B4C77563DF6,SHA256=97561480D5FC7B6CEDFB28122F97B2245B30A5423DE6AD64A6BD1D21075D380E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052455Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:03.559{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5817E0A4E7365424B8751C2DF0EC4C46,SHA256=6685BF4E91DECC87A6AD15172D2BF7634A51FCB50B287BC4FBB51896CF4F21E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027894Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:00.673{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027893Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:03.041{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183F313A14E6BABCBD782533EC01571B,SHA256=6E130199D61D1E91CED070C96DDFCAC65C7CC3B656CC572F9D410A3CCB744AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052456Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:04.559{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F55E9472CA0F2B22057474A3C344E41,SHA256=0E67E25E31934C41EAEBE3BE3E18338F22DADE65B1E490A41B0246E40CFC4601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027895Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:04.041{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CA97ED832A0760E05CBD186371F7A1,SHA256=0B2888344FD558BD121CCDEF9122354BE99B1CEF3BCF6EF77393B9072CF51DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052457Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:05.567{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D4E9A8ED0A889192A00DB683E6E944,SHA256=81131D29216C24B896E0B766E56C12012A08D6BEEE26B6E9A9F35F15B0673E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027896Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:05.056{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CC009E04642B13FC3A205062033B50,SHA256=1EB239C1BCDBC2A6A39996BDE327D7876BF131432DB9FE8727790AE2D3349DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052459Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:06.583{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCE07F4A882E523F768918EEB97DF54,SHA256=062A26603D807084DEFAC1B17FE53D233F709EE46872E67A28DA34E4899DC2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027897Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:06.067{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E796D91E075B4A8003236DF441719BD0,SHA256=2BA2B7632E4EF15D51ECB9C3397E6A2CD525DA2CD74F63F8DF1566C96CFBEBB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052458Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:04.364{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53811-false10.0.1.12-8000- 23542300x800000000000000052462Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:07.598{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AC081D9D6004380FD5584EB341682D3,SHA256=88E02423170DF0091CC2C99DCE16D160FE58D2EBD08CBA4A8D38FC06F22A8978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052461Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:07.598{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53291CCAF5AF36864FE09AB0E49D7356,SHA256=FADB5B5294F9C88B84650267F2949AA1C6027876C97783BCAAA49DC850826D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052460Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:07.598{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C86DF7951F4A3ACFADF09FB6CA4AD8A,SHA256=97D3F585B875DA23FD26F14673F9E70B6CB5148F910B93219EB0FEF7AB190073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027898Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:07.067{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87572C17DC05E5C040D169DC1A4B6E4E,SHA256=C6B11CE18D6A5DD062A683D5D3397C34517C4EB3C0832405B96A3E4D243F5963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052463Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:08.614{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752864FA4DD5E9A88F405CFB5752A224,SHA256=F4F0E7447634826A6C87B06540BDD9AAE7264899A7F0B3D44ED8143A19A9FB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027899Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:08.083{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92287B40C3FCEDBD30414CC8D2518645,SHA256=FCA04ABF55B03157F8F2E194DC891C2C5F4FBD1F36144CBDB65A973946A9032E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052464Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:09.630{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26580FF204DCF529E788EB671A8B088,SHA256=B33C1F3C97F2DC9D12F149BFFEDF93334A1B1E9EA09D3DF7EDA62DB57C224BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027900Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:09.098{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C68AE150377E64FE1771B4559F68CE,SHA256=C61F637263BFE5DA2442157DD105ADF14E4D9A8273DB77F08CDBC04CE69805DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052465Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:10.645{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95AAAACCEF52737ADBB772ED5EBF1C1,SHA256=A0D323FC9E937E2D9C7FCFD21546CFCAA7B737B748F6A53C42135617BC7D4DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027902Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:10.114{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E20D5CB3EE2EF320EDFF3EF9EB577E,SHA256=8343426D377F997002E57D95C0E0D991235D102E1905032AD7B16DB6915E1957,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027901Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:06.652{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000052467Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:11.645{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5979EBCEB26C68418BAF78D24BEB2B91,SHA256=D38BE3C316A715DDCCAB49C3D2AFD793649667EE2E3E4881C85625CF52BC19C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027904Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:11.895{4A7D70D7-4C3D-6140-9E00-00000000F101}360NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=97307B6C6226AFFEFEDDF9EBA24D5EA3,SHA256=4CB856A974CB30F2D8F223261AE885385947BBAEFF3925236FB5B2D7588E78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027903Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:11.129{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365FEAAFA773BC060685671303C047E4,SHA256=CF04B23B0FEE03057AB3774646ED1D649C36E224D4A61F652EF74222DFAB4816,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052466Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:10.356{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53812-false10.0.1.12-8000- 23542300x800000000000000052468Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:12.645{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CBB047A94C4B6E75E15823A20516F3,SHA256=5EFAAEC64FD2BCB51B6329FC300510DFA5EEDF9197EE206310EC61D0DF21DD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027905Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:12.145{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F97AC157A2D8384998C3C7F7AFEF50,SHA256=FBA489DA7B5E7A15053A78DEA62D60B50A5CE0AC3C35478C76D560B7C78EDBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052469Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:13.661{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1257C1F4BA081C17662DA6DCFBAEEB37,SHA256=648E19C9BD6844E0E866D5B341450D454E3EDEF738A615D8CB80DE1D854AC259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027906Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:13.161{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A2D035973D01B2300A8E920B1EC31A,SHA256=DD76E24A95CDA6A7D7A0FC3BAA485F05B2DF28A5FC1504E17A80BAB4F40A9F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052470Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:14.676{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2EFB8AECC208606DA35B0B32FFCB75,SHA256=97473872B63734A613868C4E597DD8FEB027CC983B50A325C66EF5A141DF411F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027908Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:10.434{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000027907Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:14.176{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8FD850D87BA9761AA755987BE5FE70,SHA256=80C6E61B5F3731B17CFCB5657E7876C97FC2ECE9087392F0149051B87AB981A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052471Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:15.676{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D84360BC804C3426BBECA67CEE1A98,SHA256=0476A8A36BBE0A2B4F2A1D9541BD5451A6E5E40AEA641C4331A6364DC14A0507,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027910Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:11.699{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027909Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:15.192{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7EFED692517CAF13457E356013B26C,SHA256=64B31E7686BD32863C31C189E0CD1B2A86677AA869A17336E9AE6D7187384E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052472Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:16.692{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAA113725A7FB7BE12E6AB0ED0C2E50,SHA256=ADD4EA6822903D3966217AC9E8EF87CB23FAA6770FB20C69AC70F26A876CBDE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027911Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:16.208{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0966A3C08AE089115C85985DE0C7025D,SHA256=59FB480EF9C831C0DED5F0C6E517B61C8765555821E84B8E5A3B2BFE9BE944F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052474Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:17.692{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B62AFF8ACD3F8F838D5CA3789BED5F,SHA256=6DD47DD7F76AC9F5378DFDE163029FA23558450D3F116EC0E9298C585FC00EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027912Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:17.223{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75208F2A0E9CEC87761F9D6B9391237,SHA256=6E48A0EC7EA70363C0D5FE4764AF538388E3C23BAB51112A1F690CF288632F8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052473Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:16.168{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53813-false10.0.1.12-8000- 23542300x800000000000000052475Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:18.708{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF2109EDE01F9E4DEC6430967968733,SHA256=74F4C87B841501D016CAA17B1CA7690CBF0B5696F1C7F5C7C741DD55E7B1F686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027913Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:18.239{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468E665299AE2AA874D8A63BE900D7AB,SHA256=41FCAFFD1559F25A23CFE13C378D7C1BAE7AA643D8ABE0CB2E0B65B0C42E0105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052476Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:19.708{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37870C00DE4EBD08AB7EA93465318E59,SHA256=3A07C7EA5E0D7F1B14491143E82A5759398B50324F52DE8DB2EFC96AF00361EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027914Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:19.254{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6FFE81F4923F1BCC818F2A755B5F50,SHA256=97C7F67031FC28F5C8CD90CF00CE216C143391274E75578256DF1B32EC998FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052477Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:20.723{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BDB48291C664200446C1F9C5400BA9,SHA256=9A8DEE28316DED8882A0037978BB5458D5D265BA9ABE1CCD550740BF3DD09861,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027916Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:17.683{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027915Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:20.270{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4F719753DCFE938E3875B2A7E70E24,SHA256=A8EAA31E25EE35623F5DCDA4D590AD74F63676EE6B005FEDD9A500E792B33333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052479Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:21.723{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FD531BF6505375ECF76DF76D886242,SHA256=A1395D92DF7D09EEB05E208E81F342F23D85E769259B5C9EECA89B69A69E2111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027917Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:21.270{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F14E48AA1E88D6EF2259443203D820E,SHA256=8D093CF5406A2A1FBC85461D9C5637FE6A16EA7B579293B53950F567DFE75D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052478Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:21.254{C8F4C507-4938-6140-1000-00000000F001}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F4FD80C5781C94539142C7A249A02E15,SHA256=24FED7E7F4743F366734D14A63F2C9FB5B7CBAD53F901C810EF9FF90B8D545E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052481Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:21.216{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53814-false10.0.1.12-8000- 23542300x800000000000000052480Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:22.739{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F51F5CB7C978AA68F0C2FC1742ABC40,SHA256=80C2AA4E71B55F0483974871E442199C60A25432119D346F6841FE3EBBF8DE97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027945Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-65D2-6140-BD06-00000000F101}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027944Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027943Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027942Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027941Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027940Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027939Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027938Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027937Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027936Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027935Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-65D2-6140-BD06-00000000F101}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027934Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.692{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-65D2-6140-BD06-00000000F101}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027933Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.693{4A7D70D7-65D2-6140-BD06-00000000F101}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027932Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.348{4A7D70D7-65D2-6140-BC06-00000000F101}32642756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027931Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.270{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB12E7413F8D56424FE21C6ED58C8FE9,SHA256=EF8AFE029D3E3FB3CE391842B1408D54EAA53CB4CEA1072EF256E725BA8DDBEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027930Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-65D2-6140-BC06-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027929Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027928Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027927Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027926Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027925Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027924Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027923Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027922Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027921Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027920Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4BB7-6140-0500-00000000F101}416532C:\Windows\system32\csrss.exe{4A7D70D7-65D2-6140-BC06-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027919Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.145{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-65D2-6140-BC06-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027918Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:22.146{4A7D70D7-65D2-6140-BC06-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052482Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:23.755{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D660E558C096802A6636A7EB3B17AD1,SHA256=237D28789E5A0C01D2D4DE753B3AB319B19BD1CE972AB1A0A31156DAB4F117AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027961Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-65D3-6140-BE06-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027960Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027959Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027958Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027957Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027956Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027955Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027954Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027953Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027952Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027951Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-65D3-6140-BE06-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027950Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.317{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-65D3-6140-BE06-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027949Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.319{4A7D70D7-65D3-6140-BE06-00000000F101}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027948Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.286{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A567165DD1D40BEFE0CECDECEED6CF,SHA256=F102469C130DCC761E9D0CB928B36B96E1DB302D2F088E15DA391632D7AD7B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027947Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.286{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C11CB508810E8B0BCB65C0F62427774,SHA256=9D2D9BF1D5DA7324BEBF2BAB9DD78DDCB9AB2E2C7A7FFBFC30C302A7A5E39158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027946Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.286{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FD8DBAC6BE5FB82C76F1E085BF4DA33,SHA256=F2A1A4BC2B7ABE30855C1A431FCAD433F1A64D8B69A80EF48B838292BB42D83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052483Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:24.770{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C80B4860F37F0D87114C7966BAB4D0,SHA256=E2320BD477C0277773545174BF4F21426C15DF0A068FB114FCC0E236C174B548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027963Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:24.333{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C11CB508810E8B0BCB65C0F62427774,SHA256=9D2D9BF1D5DA7324BEBF2BAB9DD78DDCB9AB2E2C7A7FFBFC30C302A7A5E39158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027962Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:24.286{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DF33CB44B139AC3DFFAA2D1A4E6F7F,SHA256=7F5746DA1980F9D6A5823AD643AD47EB10341D2B0DFDE67D60D6701C85735C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052484Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:25.782{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD3CDC5AB1F92402847E1FAF971554C,SHA256=8A0EA28BC9D0FB7FF404321F71B39947CB89A04E04614E123DC3E6BFA1665BF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027978Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.626{4A7D70D7-65D5-6140-BF06-00000000F101}35843476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027977Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-65D5-6140-BF06-00000000F101}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027976Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027975Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027974Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027973Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027972Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027971Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027970Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027969Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027968Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027967Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-65D5-6140-BF06-00000000F101}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027966Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.454{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-65D5-6140-BF06-00000000F101}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027965Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.455{4A7D70D7-65D5-6140-BF06-00000000F101}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027964Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:25.298{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6511C9A3771C3EE5D2DDE7BC0CD77987,SHA256=AEC31197A50805E697E876AFD514776FDDC1C671E0B8FB27D4E1A9C89B3B4F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052485Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:26.798{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC633289A6D7457F152553CDCD2694F8,SHA256=295B17B41DD309F12450F68111F50D918E2DDF144EFA07B8868C98D32C4E6F4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028009Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.970{4A7D70D7-65D6-6140-C106-00000000F101}32001976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028008Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-65D6-6140-C106-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028007Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028006Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028005Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028004Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028003Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028002Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028001Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028000Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027999Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027998Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4BB7-6140-0500-00000000F101}416432C:\Windows\system32\csrss.exe{4A7D70D7-65D6-6140-C106-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027997Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-65D6-6140-C106-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027996Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.737{4A7D70D7-65D6-6140-C106-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027995Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014CDAAD87E56B8440C1B8B62877303D,SHA256=286FDEB8CC5457EBEFE2EED8EAC5587C231503C67B98A6395160D286F0C08089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027994Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.735{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1FF1E548636ADFD528089DBFE104A63,SHA256=8A181D1861051F163E91165BA94CE562A8CF28BA84BC1F96D15723B1BCF9B75B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027993Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:23.730{4A7D70D7-4C46-6140-CC00-00000000F101}2772C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-574.attackrange.local51083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027992Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.329{4A7D70D7-65D6-6140-C006-00000000F101}908916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027991Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-65D6-6140-C006-00000000F101}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027990Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027989Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027988Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027987Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027986Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027985Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027984Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027983Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027982Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027981Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-65D6-6140-C006-00000000F101}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027980Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-65D6-6140-C006-00000000F101}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027979Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:26.126{4A7D70D7-65D6-6140-C006-00000000F101}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052487Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:27.798{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C0E9B90AB9229E5A3D39416ED4A1B4,SHA256=4A67372F5A4368A42D7AD5FB7C9BEB01794ABF50ECF0FE7455D62E7B7EBE2DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028024Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.829{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A2E65BA3F993C57CA204497D413CC4,SHA256=C7C6E548914BD6E0E5EA3BEE41E5F7C991B876801D1C3CE89F4E731C3F049330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028023Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4C3E-6140-A200-00000000F101}32881760C:\Windows\system32\conhost.exe{4A7D70D7-65D7-6140-C206-00000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028022Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028021Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028020Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028019Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028018Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028017Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028016Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028015Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028014Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0C00-00000000F101}7281268C:\Windows\system32\svchost.exe{4A7D70D7-4BB9-6140-1B00-00000000F101}1940C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028013Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4BB7-6140-0500-00000000F101}416952C:\Windows\system32\csrss.exe{4A7D70D7-65D7-6140-C206-00000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028012Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.563{4A7D70D7-4C3D-6140-9E00-00000000F101}3602632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4A7D70D7-65D7-6140-C206-00000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028011Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.564{4A7D70D7-65D7-6140-C206-00000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4A7D70D7-4BB7-6140-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4A7D70D7-4C3D-6140-9E00-00000000F101}360C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028010Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:27.329{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4228EE5C6E40E5FC65C6FBDD89F2E21,SHA256=579D6D093DD398B5D9B76F0C72A8F95A63E62146F5BE69A00E3EA37997D2F22A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052486Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:26.258{C8F4C507-4953-6140-6D00-00000000F001}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-158.attackrange.local53815-false10.0.1.12-8000- 23542300x800000000000000052488Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:28.813{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0584D60A2B109F492ECE5ECEA020AF82,SHA256=905F637552646A5778532B7FD2454374838156ACE3721254F58A2F7FED74A580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028025Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:28.344{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BD71DE40986628FF0E73506BE379D9,SHA256=030A2B6928CABD680C7B04DF33891D7E8906B53F8AEA3E8C5519E08B95CDDF87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052489Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:29.829{C8F4C507-495A-6140-7B00-00000000F001}3640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F960C5A46317512B4E8F11B4BCA073E,SHA256=6F449BE76B11B5EAB365A4F7670A3F178574D7D5249666AD68C5691DB05025AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028026Microsoft-Windows-Sysmon/Operationalwin-host-574.attackrange.local-2021-09-14 09:05:29.469{4A7D70D7-4C4C-6140-D500-00000000F101}4060NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A066621E535401503A1BFC71A9CF1642,SHA256=34A653F3F3DEBB47000412CD852422181A2E8BF2180CFB4A53D396A0642DD518,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052490Microsoft-Windows-Sysmon/Operationalwin-dc-158.attackrange.local-2021-09-14 09:05:27.931{C8F4C507-4938-6140-1000-00000000F001}420C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:d95c:c36c:7423:d3edwin-dc-158.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server