23542300x8000000000000000101107Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:06.985{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A2C217BA5AD81903A74306116A82BD,SHA256=6478797CF0D8AA3A6BD41C271E5582724EC99E9EBFEFDBABB03C3BB231DC28A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090445Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:07.365{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A8685AF43155BAAA908E799A4199EF,SHA256=A4A3B1C28E2082E8BB9658DD59C32BA9B5E22D00A80FF944F324686AE00C71A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101114Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:05.848{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57461-false10.0.1.12-8000- 23542300x8000000000000000101113Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=8793BBFFBB5BEE0F872E47988676B0E9,SHA256=7A6B15E091B346CF023711E5665D1D99584BDCEBE81BB90A8A65E43FB6E5861A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101112Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=9A8B302C5D0B57DC8BE1F024D4A09DB1,SHA256=9635770ADAEADD4CE32EB02C3DD04AAB7C767CEF9C216E484521229AE3FBAA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101111Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=18F1966252678C3ECF34F7A5C5CE595F,SHA256=25F63EB61527B908E6986745E70C78EAB361B639271417C0C6B20403658E43B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101110Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=D1907976FCDD2FDDE340807B0A0CB0F2,SHA256=79BB75CD876DAF8BF478F12152ACB046CA2AB45D4379EEDF5CA70CE9B3F53A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101109Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=7369B145728D27D93A686BF7AEB2BCD2,SHA256=96CAEBEF079DF9B2156F5182870A023A09D72FEDE218EBE5DDFFE05FE618F0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101108Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:07.318{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=2BA3F9FE1BEA782E71E9EDF3A2DC0AF6,SHA256=3E35098F1158CEE61394D55010FCC91BD84671CD751766F482186FB63B65E0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090447Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:08.396{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C473EE9BA99BA172444A25B445B265,SHA256=594E6E8594EE7EBEB5DCABCC12C49474394AE0AB6AAA814A5D701315B24B8DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101115Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:08.028{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3824A981D42158C24AB9F9CC4C8AC98,SHA256=10BCDFAB170DDAF6327DF55C8BF8E4566ACE00798ED5135A4001F12284E8A213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090446Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:08.208{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F8A371A8B817A02206A574BD77342F,SHA256=1A3E8AB0108709FD8A678CB1B6E0B3C20044807295DCBB390AC61DA6065B39A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090449Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:09.677{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8BC23276FC24AEA01B0D474022E9DE4,SHA256=00DB112798CFD5BD13AA6DE56F4B1B93146495E655103CF91E829A841CE38AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090448Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:09.412{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D831BB21F385E66C970AB00D34E6C7,SHA256=B7E2F7C1999A9D9955D3EAC6EE1681BE99171F0414DE769E4CE0BB3FC7884AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101116Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:09.029{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2AC7AF3C6F3E6AC7A02E432001CF29,SHA256=ECF65FFB7452F17CDE5206D19CA7A2A0DBA9C8E68D49161F92EEEEE9386042AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090451Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:10.740{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2736E7FA6AE3F30BBA72CE0E983005CC,SHA256=ABF80D0458675754797D20410A425A06F57DEF1F3461E6B1E0680EAC2BB9704E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090450Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:10.443{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA442D8003458C0CF13CED8B797C9BB,SHA256=6C63A3BF61B02DD21FE7063F4085B8049F8DBB16CD1BDF10684AFD823037CC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101117Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:10.047{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892138A88CED48C1E7E5E45B18558D6C,SHA256=99AF7D22D41D7D88CFC78AF3A8F200F581E9CF1781372E67B883E7F591ADD263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090453Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:11.849{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=768523FA57F1562C5C770441885015DD,SHA256=8E65E6BA552E8D207D7521D974EC4AEA48CCBDCB7EB5FEC9042548D1CA26B74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090452Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:11.459{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169818A023796DA33A8D04931322082C,SHA256=E9894A4899779075A05CAF023D4317712058043A60B4FF3B1FC8FD273EC56A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101118Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:11.066{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2566C5C2BD661EEE72FD3DFE95DE84D,SHA256=8DFBEEC485E15BAEB43070FFBE3D956F7DEA952CF71D7E2D5BF9ADE0A73B45A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090454Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:12.490{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394E1C3F1CC780C816536BEEAAD687BA,SHA256=5E52C7354AE16672A27338550F7D1C530C42CA9D2453AE4BDD6F4EF5DACFD648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101119Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:12.082{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6DD2015226BB77479BCB610D4CF0E2,SHA256=8E4436C25B92A97096F0EE1654F8E48CBF1366EDBEA53E426B295C99C62AF860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090457Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:13.521{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E3A2C0AFFCA2C4659E5BC03939EB3B,SHA256=D9F27C83468B12C7D9E68225F6F6F83941B442814749C1A94FC621FF1FAC29D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101121Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:11.615{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57462-false10.0.1.12-8000- 23542300x8000000000000000101120Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:13.096{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECDFAFC0EDF2410F3152413DBA05F747,SHA256=8366CE8245A88AF5B4E1213D4CBC6906230B4D8D68E9473449E53EABBAFBE83B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090456Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:10.857{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50714-false10.0.1.12-8000- 23542300x800000000000000090455Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:13.037{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EB8DEC02843336C43097334104640D4,SHA256=3141DFBF0AC4B90DD63A92D0FA96D0F91B8D818E721DFC332C1EE2FEFFB06415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090459Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:14.537{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EA24D6DF971B8C85406E8D360E2613,SHA256=979FD7394EC94BD6F7B119DAD4DCC653E42F8C4F9E7ED8A58DC32C5D3645F539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101122Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:14.114{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E80D43264AAB1914EB9C355C443C73,SHA256=F3DDEC292D32BC55544AE35DC2C676DC933A4DEF2AA5B97C76D6A8808E6B0B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090458Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:14.240{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57FA64D77B5F4811A81221C5485F650C,SHA256=B8A2ABF28121F271251784784D036AAF4EC0959859AB512ECA1EEFE5ED69AAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090461Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:15.599{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF2AA67AA597A05F86B6640B0968901,SHA256=C2E35426A1A29468B31DCE6F2284B127B63F73A1D0FA612318E78CAD15B2B7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090460Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:15.553{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAAFEC19993682D2A3C323833FF8701,SHA256=A232EF70B8A20FF2ADCF785E99B9AC3FB432428F3DC6FC1F0629F201D07C0042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101123Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:15.128{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D9BE39481D5DEAA6D057344058D88E,SHA256=0AB365CD86C9E5D7ED29358237D87FB2505E464A44BCA1E30A1148E0428ADA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090463Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:16.896{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08219BE6D6C58DD44FB8691B849609C9,SHA256=EC65A5305A2ADB6DD5C519845AAB47FF3FB76A8E37423218546893F25C32EBDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090462Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:16.568{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79104D948CB5B463510E07B080CB2544,SHA256=5C258B3A90CC4837FC6212DBD0E78853D524E84B7B7EE5A65A56F32909907498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101124Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:16.129{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F2D4C291694D725844C4B68B5DD2D0,SHA256=8123A30BF76CBA2E16952FC8FA7975570C3B65BC19C80E02B42D1EE0446A10E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101125Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:17.145{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7DBCF316D5C5D6504F3CA21DD2D34E,SHA256=5BAC55D11BE854598E6C741A39D2349510EDD2799A69BF5DCA0EA9FBD97CAC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090464Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:17.599{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C7491A9A587DE063B065614C5281C2,SHA256=0855CB51AAD90991ADAB17218C8C05667936F4706D86C6E8B27363093BCE73DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090467Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:18.600{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13747695BFA493C01692A36967585616,SHA256=CF502F7E6E099A381F77515BB33031CF810B13AAF88052024EFD5CDDE1C3A9EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101127Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:16.668{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57463-false10.0.1.12-8000- 23542300x8000000000000000101126Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:18.167{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C060FA017173B27A178A2F40FE7A9CC3,SHA256=6512FC2CCB083007B50A69F370C8BF4B087BCD2B69CEB5E48CC1D225F50A26ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090466Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:16.841{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50715-false10.0.1.12-8000- 23542300x800000000000000090465Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:18.053{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78E51DB625B17A3DFCB7731CC0035052,SHA256=510C8CF95162B977A33AB97147CCFFFA69E7768C89D0465C307C4CE31162759F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090469Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:19.631{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CFF5FB8C17D4D5983316678D08B6F5,SHA256=30928F4E09CB94AB7A3B8D63C4061EAEEF6E38981C204AE25B3C14A5E0343935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101131Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:19.882{3A00444C-84F0-6086-5002-00000000BC01}47324820C:\Windows\Explorer.EXE{3A00444C-8594-6086-7502-00000000BC01}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80024E648C8)|UNKNOWN(FFFFC4AB016B4A38)|UNKNOWN(FFFFC4AB016B4BB7)|UNKNOWN(FFFFC4AB016AF241)|UNKNOWN(FFFFC4AB016B0C0A)|UNKNOWN(FFFFC4AB016AEEC6)|UNKNOWN(FFFFF80024B7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000101130Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:19.882{3A00444C-84F0-6086-5002-00000000BC01}47324820C:\Windows\Explorer.EXE{3A00444C-8594-6086-7502-00000000BC01}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80024E648C8)|UNKNOWN(FFFFC4AB016B4A38)|UNKNOWN(FFFFC4AB016B4BB7)|UNKNOWN(FFFFC4AB016AF241)|UNKNOWN(FFFFC4AB016B0C0A)|UNKNOWN(FFFFC4AB016AEEC6)|UNKNOWN(FFFFF80024B7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101129Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:19.882{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF493ad3.TMPMD5=C99EE02EBFB64BDE6B873A56BB796C66,SHA256=C71E259F4C9B0D61592A2D077072B03E7F90454AA9B9A4CD017E3051F09C73F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101128Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:19.198{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC467CC2CD8857B4AECCB8544FACD1C,SHA256=95E1B1FE9EDA9AAA2498879B0EFC568F0CD9BAC2CD1F7AF21F25F6ED16C14059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090468Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:19.396{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF6BF36A70671A58400DF23F9B33DD4,SHA256=11CD5F062F099F4E049F09215C6CB7957F6D7B28FC8C03970843D75E50FDA4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090471Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:20.818{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06CD1C66B9631E22904F69577D88F45E,SHA256=244C6C9189D921BA851D5C0CCD6380991346E13F062326915197B9B973037E33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090470Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:20.662{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930F4F0B6A27551FB5635998C95002E1,SHA256=E92475C1FA39A5E5F628BFCE4E5FEF8C5E3381D9A7AD206B20BFC5BC8763E994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101132Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:20.228{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D95B9D2812BD7FE2386F85443C7F0A,SHA256=6DFBD5F2114839D8DCEC668086BF6D87EBADC79B828F3E4C90CE743D47A56D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090473Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:21.928{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=780EF3A2F2CBF4177C710AEE8ABCE5E8,SHA256=823CEE9C946725D3F280894364B1E9FA01F33CC8F96B4DC5ED074A597C3D9ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090472Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:21.678{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1A762476850580231B32A42BA2F795,SHA256=85A24A844F453697BE1992B932B117E803C7CF9F3A93A61B28F14A0A44920671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101133Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:21.229{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762E4BAFC857788B40962AD22D4E209A,SHA256=762DCDF223ACF7A7F9E335EF1E79F9FF5548169699191AD430C95C4677E4F280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090474Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:22.694{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89D1505D1F2BE9E6FA50613CFEE61E0,SHA256=67ECBAF48DD3DD70C0CE357F74697A9378F3B2CDDB7B865845187B4B6D0C0ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101134Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:22.229{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872714F9D1AB9265DB1EF5A463130826,SHA256=532A91297E9ECD56B1A77BA7A0FDC794E3A1EFC2FA52E9B8756C995E58B97037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101135Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:23.229{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE13589536DC09C8CADF4645C2CA0D1C,SHA256=8FD41353C558FE5A0928EFE56BFD7D8AC76D6F4FDBDCB46C1E04709DC8EA3E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090477Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:23.709{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597A19FB9715B4EE25042350CD08E941,SHA256=44B1DE3A92512005793BB98A43606AE756691CE0AA1E5FC03C87B0F0DD7C07BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090476Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:22.076{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50716-false10.0.1.12-8000- 23542300x800000000000000090475Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:23.068{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAC5B607ECF79B424DA3FC4AD6C8A6D6,SHA256=BD5DA40B51123ACB2D490483A771A1335B60C4C0B559E038B9F77BAE7F9C5C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090479Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:24.725{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1AD68B926E1AA249B910EDF0860F93,SHA256=0CAAE5CEF62645C9C4E994E8A1BD79AC24F95B5886072038E6BC590DE40E8DE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101138Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:21.700{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57464-false10.0.1.12-8000- 10341000x8000000000000000101137Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:24.397{3A00444C-7713-6086-0B00-00000000BC01}6241196C:\Windows\system32\lsass.exe{3A00444C-7711-6086-0100-00000000BC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000101136Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:24.247{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DBC3FC8F597D32A421060079A3EF28,SHA256=AF2A2A080AA821C6CB47031B94BBC6372A36BE8A37B8327F0937DB04A8C00C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090478Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:24.272{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEBCDDEA1E7913169D1053D46FDD26C,SHA256=39027282DD1F2A057CA7A34CC6CD456F7B0965AB25638661792CA3AF6D29C040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090481Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:25.756{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30C82D5812B44BCAB307E06A77D231E,SHA256=915C2D6316C268892770B5808E908864DDD10FF9427CBCA21AD781BF076E56BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101145Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.929{3A00444C-7715-6086-0F00-00000000BC01}2962080C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101144Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.929{3A00444C-7715-6086-0F00-00000000BC01}2962080C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000101143Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:24.001{3A00444C-7711-6086-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57465-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local445microsoft-ds 354300x8000000000000000101142Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:24.001{3A00444C-7711-6086-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57465-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local445microsoft-ds 23542300x8000000000000000101141Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.413{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E8513CBCA6341005B8460EE7F781AF,SHA256=F30A7868136EB0E39F10D82A42AC5A7E1E49390A8ADBDE5D3053D881661D951C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101140Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.413{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C141371D911FA33DA911FB23426106D6,SHA256=4D5BC7DBBE6E995832DEA228F03A5589AA3D413DF445A8215FD73E685E9C5D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101139Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:25.266{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1968916F92A9593185D2D823BC5624,SHA256=E50B0DE175B514D68382D6442A4349A9E22C132A5B818D0B8E0529A6ACD0037F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090480Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:25.475{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DCE3C89CD7711A6C44A9554C3731DC6,SHA256=D8AFF0C81244B8FFD59C928138B832219121A6E2538D3A8E587C2C366300977E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090482Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:26.772{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E67C920C5F06CA45C91579BF96D5427,SHA256=D20244B690A2E14222409223A5CD7A3D0F6A1ADE28BD0C44DFB4EB24125E7051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101147Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:26.297{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A177C531857767FE9EE41AD44CB7178,SHA256=5A4654EE583C6672ED3DC54CE17E3502C67EF285ED4D9F8506617023F6F3FC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101146Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:26.246{3A00444C-7715-6086-1200-00000000BC01}612NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=04DA994F8F87B7360BD62C1A9640FB07,SHA256=A0BA5F76D40BEAD3E969ABE9B605DE4D4A86476F16DD4E0A050098AE7666DB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090484Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:27.850{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9114D852607E5A14AD120B534EA563F,SHA256=AC7D32D8EB022B3AA7083C300DC03B19F5135740E1532CBF7392FF14E29DD701,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000101158Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000101157Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00495909) 13241300x8000000000000000101156Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73a77-0x632e176a) 13241300x8000000000000000101155Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73a7f-0xc4f27f6a) 13241300x8000000000000000101154Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73a88-0x26b6e76a) 13241300x8000000000000000101153Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000101152Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00495909) 13241300x8000000000000000101151Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73a77-0x632e176a) 13241300x8000000000000000101150Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73a7f-0xc4f27f6a) 13241300x8000000000000000101149Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:37:27.628{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73a88-0x26b6e76a) 23542300x8000000000000000101148Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:27.298{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13457038F77953B3C081D819A13C4FB,SHA256=B0B58005446E9AA6C4C9B896F4BFB5138D4EEF0A403E83637F247ED1FFE72FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090483Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:27.022{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE633FEB2739712DD94D1ABC3F5E440,SHA256=8C9A18237FF97D13AC0446D990D60D11328F8235D988D0A241C183439E6BE2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090486Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:28.866{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578E25947D980DFF7DD6EC4CA8CBFDA4,SHA256=4E4B766AC8A6B7105D52BCE43668CA0D0BE2D0F448BF0AF8642EB4F383279C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101159Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:28.329{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0A9DAA796821542934BA5AF212BBB9,SHA256=EA8E45086D5E71EA49017553AFBDA51022FFEF373E6DFB8CAA1AFDBD773E7C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090485Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:28.194{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B455C556C5324C8793763354AAFEF74,SHA256=20ECA5289E7E0F8E8F418E237A000D47BA55C77A77D49658FF71A4D705E8F461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090489Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:29.881{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0772FC2F1E927FBEAA411F20949C5D,SHA256=CA1D3097924631E1283F6F96974DAADA434E2D53497BA06A9E946AC49E182708,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101161Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:26.701{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57466-false10.0.1.12-8000- 23542300x8000000000000000101160Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:29.359{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBB7E31423874C124C4D86D202E6C8C,SHA256=5CA5F8B2D010A9D9942A17A060FC83CC779285CE606C5F3E1302A0A073522BC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090488Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:27.919{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50717-false10.0.1.12-8000- 23542300x800000000000000090487Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:29.225{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B241E9E1C7C4B236D40E57279CAF3D4,SHA256=30F34E90E02E43774DC40316CAAF8D163CBFA516B4BDA53CE7234BA5E6796D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090491Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:30.944{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62001D5647FE8AE4D9588CE45427564E,SHA256=3A6A67C0ECF0E071C5A05CA5E30775283D720C8B1A49622BCFD921B538D24130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101162Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:30.365{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711EB2FA632A3B7FA35CE93A624ECBC8,SHA256=EB7E568FB977FA1ABA404A7254F743FCB40858276226CAB99B9BC01B29D7FD61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090490Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:30.381{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D083022D0EFC1C0F2CB42DC53D895157,SHA256=8D1751FAC7409CE44730B79DA06C7B0550420F60E0F0001951274F8F7ACF68AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090493Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:31.991{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719E1B5A5204CCD59E0E558EFC420C70,SHA256=E52B969D169A20A964FA80304D69B5C5569BAF5A6D019EEDFBCFF2322E5F2295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101163Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:31.366{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953299FBBB02F9E7648C2976256D72FC,SHA256=028E99148C6175D5D26669BA070139BD3F8836059FD6FFED2A6986381C1F630B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090492Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:31.694{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73BA888AD4B1D013D0A167A4D4388CD9,SHA256=3ED3D855F9FDAA142AE442D6D2A432B90C82DCEBE44DFF40A4B4468A848C2244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101164Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:32.367{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4930BCEE040A6408DEEA20C2CB1BA0,SHA256=D632B96FC7C28037CB96F7046D37F28C1067D9B5C60FA45A9189F7DA855506D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101166Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:31.749{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57467-false10.0.1.12-8000- 23542300x8000000000000000101165Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:33.412{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB823FC3166D4E06EE32CDAD0844CD06,SHA256=14A59D53D234B620814196F4B66B5BFF8C9C117CC45A4986DC1086D21EFD626D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090495Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:33.163{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92EEA238893AF1A1CB07B4895427EB4C,SHA256=2966549F06703249CF6D012C0AE0E8362D2FE57F0F86E752CCC9B750BEC1A320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090494Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:33.069{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D062B0888DD0B681AE08F0E3531384F9,SHA256=2BA05E84D10D90857E1E592893A174D208770C28D3CFBFA3F2B632C762E157BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101167Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:34.413{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E6996C3C1512DAEE5DBFD21730214D,SHA256=17D0A29E949FC9712C67E40D0BF0A6136944F6C3D9C3793F53C2B3E7EAE86FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090497Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:34.272{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E7628EE1FD5B206EC7C70AD0DB62275,SHA256=3DA97AB264B2C1FA824540052EB34653CCFA86D410C673D700BFFB0378117D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090496Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:34.100{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508363597B095A114BFE042C15AFEF70,SHA256=AF4D283CEFA7CFA8914C16D7EDB328B24C9764A35229A936AB23DE0EABE0A5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101168Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:35.413{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD34D35967761BF645EEB7A3C0619846,SHA256=D3E92368E7628B37C0752219C581FAC996E3318DEBB205BD9D88139683877D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090499Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:35.397{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7DC56CBFAB8C1169A0E94E541F7AED3,SHA256=6182AA2A440873A5EBA4F48EF9FA39E9A1B0A85D753B396FDB9ED53496C8638F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090498Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:35.178{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDD7F4BFE3695FF32301D39E9AA6D5B,SHA256=BB589A949C3224BC3A0BE64EC13850E04E4DF8DA3C8AC8A33708BCF8E710E52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101232Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.613{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBCEDEAC63ABEECFE2ED76024E079BD,SHA256=B030EDB7E65C252BE3B140034BC45AB5E391A914393C7C47FC6C79FCFB006033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101231Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7715-6086-0F00-00000000BC01}2963100C:\Windows\system32\svchost.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101230Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7715-6086-0F00-00000000BC01}2961324C:\Windows\system32\svchost.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101229Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101228Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-84ED-6086-3F02-00000000BC01}1328908C:\Windows\system32\csrss.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101227Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101226Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.582{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E0-6086-0803-00000000BC01}6548C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101225Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.566{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101224Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.566{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101223Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.566{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101222Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.566{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101221Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000101220Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000101219Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84EF-6086-4602-00000000BC01}41127112C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101218Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84EF-6086-4602-00000000BC01}41127112C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101217Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84F0-6086-5002-00000000BC01}47324328C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101216Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84F0-6086-5002-00000000BC01}47324328C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101215Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84F0-6086-5002-00000000BC01}47324844C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000101214Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.551{3A00444C-84F0-6086-5002-00000000BC01}47324844C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000101213Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.549{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101212Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.549{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101211Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.547{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101210Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101209Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8361140C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101208Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8361140C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101207Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8361140C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101206Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101205Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101204Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101203Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-84F0-6086-5002-00000000BC01}47324900C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101202Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-84F0-6086-5002-00000000BC01}47324288C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101201Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.529{3A00444C-84F0-6086-5002-00000000BC01}47324288C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000090502Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:36.538{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19E59360C236AA6930E44C9C539BBDC7,SHA256=E6EBBC775CD50EF183018F6F7CC9AE812309C23156F0AD7B923664DBA6921DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090501Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:36.288{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F1BB47569A7D837D77ED0AE9C9CF86,SHA256=8F9A3DFC001510CB68244D4DC5F56C08BA233A560C4CF7D94EFCA37B611F7547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101200Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.149{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E893B67E68D3ECCF776F76353C2A959,SHA256=882F11F90A8272393D3C880FC5E5655784594D6775A1642687F582B547FB3742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101199Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.148{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E8513CBCA6341005B8460EE7F781AF,SHA256=F30A7868136EB0E39F10D82A42AC5A7E1E49390A8ADBDE5D3053D881661D951C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101198Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101197Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101196Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101195Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101194Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101193Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101192Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101191Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101190Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101189Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101188Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101187Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101186Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101185Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.046{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101184Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101183Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101182Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101181Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101180Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101179Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101178Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101177Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101176Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101175Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101174Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101173Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101172Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101171Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101170Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101169Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.045{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000090500Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:33.919{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50718-false10.0.1.12-8000- 23542300x800000000000000090504Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:37.694{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B67D0D63C34135A33C55925D8E5763E,SHA256=81E139C5BB49C5F9BCBA985B76D98CC489D233DB61C788DF8F95A319C1322184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090503Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:37.319{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3C4B5CCC3FD490C5BE5F64C53890B8,SHA256=999F69F262D3C6128F150B44535C17B1E4ACBA479BFD494A1B32F5D822897554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101254Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101253Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101252Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101251Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101250Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101249Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.948{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101248Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.947{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101247Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.947{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101246Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84F1-6086-5302-00000000BC01}5076ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4R6QX44A\microsoft.windows[1].xmlMD5=5BF5DBE4A9A4B41A837FE30805AE4274,SHA256=2B49D9E8E8042CBC91DF3CDFFDD399622AFFF06E75EE787D3D717F5195595192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101245Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101244Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101243Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101242Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101241Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41127112C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101240Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41127112C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101239Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101238Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.797{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101237Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.782{3A00444C-84F1-6086-5302-00000000BC01}5076ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4R6QX44A\microsoft.windows[1].xmlMD5=357AA2A9FD6F03F64128266CED769B3E,SHA256=1BDA7D217947C3F371457666A90878A6429A892C81B3B665B6B3DE1173F19738,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101236Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.782{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101235Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.782{3A00444C-84EF-6086-4602-00000000BC01}41123160C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000101234Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.766{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AA5D08B77BF1C6C75BA7F302218607,SHA256=39F9AC46F66172C31F13F67283015A8771584EDC13D573BB3C063291037B03DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101233Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:37.766{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E893B67E68D3ECCF776F76353C2A959,SHA256=882F11F90A8272393D3C880FC5E5655784594D6775A1642687F582B547FB3742,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101281Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:36.800{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57468-false10.0.1.12-8000- 23542300x8000000000000000101280Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.782{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4375A8A69D54767130E015A7F366E1F1,SHA256=E11A5FAA1DCC1D78F467A754C2356D67747751610520FB12885F274DC7D70C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090506Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:38.882{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAED26BCF168B10D11193419C10188BD,SHA256=B74E90B3D718678AFD3C118F2D9A1C652D102258DF96D504922B342A6A1B6BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090505Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:38.507{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B26BD6E975B1F0D07426C97148BABE,SHA256=00590D3378AD0C8D231B3D6B5505B45779EA9744851BF79C88DACC5E69C5917A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101279Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41125428C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101278Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41125428C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101277Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101276Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101275Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101274Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101273Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101272Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.381{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101271Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.366{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6396878920AB091674B6FADD6BA284,SHA256=41A36C04A1F0B858FC4206E1F1288936963F5B3E750DD683FDEC23F75D4E2F68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101270Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101269Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101268Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101267Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101266Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101265Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101264Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101263Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.182{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101262Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101261Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101260Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101259Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41126520C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101258Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101257Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41124152C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000101256Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101255Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:38.113{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101282Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:39.782{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C7E7EB397595C273B10EC4BB45A2B8,SHA256=7DEB0F1654716712FC2E046857142A104FCA3BF40074C4AF818035FC589A5E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090508Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:39.991{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46A4F2E41DFE12F24C15F43B14F1B02B,SHA256=E32F4DF890CD59D3AF240736C1301B8BE55DC6900C59147EA785BB5682372C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090507Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:39.554{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164896AC8ECCEA0A7714B3FD3A27CD29,SHA256=A98E1F6E90959EC50B08694E1F465CF76D9E17D289D37790397BD4709969B9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101283Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:40.814{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754578E206381BA9DB5064AD9FEEC161,SHA256=A4B79263964E447968C92E82A13F4C0908DD418D955609CA71E47925F48CA63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090509Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:40.632{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4068E99EDC53B768DD44E894CAC2F3,SHA256=45E0120909BD6B037707F46D30F50E6FCD2FA0D602182AE317D1E9C20267F9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090512Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:41.679{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F62A8242C8241F666D942FA155C5A9,SHA256=CDD92411421BFC04E707AC2313A420316B4C5F17D90C370194D03C6CF2985A9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101325Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.967{3A00444C-7715-6086-0F00-00000000BC01}2963100C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101324Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.967{3A00444C-7715-6086-0F00-00000000BC01}2961324C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101323Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101322Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101321Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101320Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101319Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-84ED-6086-3F02-00000000BC01}1328908C:\Windows\system32\csrss.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101318Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-84EF-6086-4602-00000000BC01}41126152C:\Windows\System32\RuntimeBroker.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80256|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\windows.storage.dll+2d1b2|C:\Windows\System32\windows.storage.dll+2cea9|C:\Windows\System32\windows.storage.dll+2cd7f|C:\Windows\System32\SHELL32.dll+80256|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+1740bf 154100x8000000000000000101317Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.959{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe10.0.14393.4046 (rs1_release.201028-1803)Windows PowerShell ISEMicrosoft® Windows® Operating SystemMicrosoft Corporationpowershell_ise.EXE"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{3A00444C-84EE-6086-9FDC-170000000000}0x17dc9f2HighMD5=FEBDA520271B683CD518B3425EC585D4,SHA256=8CFAC3F204DF864A5E9D9E20A4E7D4D70CB30A146661D0F7447A927BE74F7F04,IMPHASH=00000000000000000000000000000000{3A00444C-84EF-6086-4602-00000000BC01}4112C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 10341000x8000000000000000101316Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101315Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.951{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101314Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.914{3A00444C-84F0-6086-5002-00000000BC01}47324844C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000101313Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.914{3A00444C-84F0-6086-5002-00000000BC01}47324844C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000101312Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101311Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-84F0-6086-5002-00000000BC01}47327080C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101310Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-84F0-6086-5002-00000000BC01}47327080C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101309Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101308Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-84F0-6086-5002-00000000BC01}47325024C:\Windows\Explorer.EXE{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101307Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101306Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101305Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.899{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101304Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121944C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2285|C:\Windows\System32\SharedStartModel.dll+b2801|C:\Windows\system32\windows.cortana.Desktop.dll+a80e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f 10341000x8000000000000000101303Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101302Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101301Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101300Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101299Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101298Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101297Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101296Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.883{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000101295Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.814{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3357164DB12D37E85E7530E080B155,SHA256=10142F5430432714BFDBDF3F21775C78FD854F1AC98DAB3BDB81A07901CDBE22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101294Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.228{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101293Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.228{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101292Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-84EF-6086-4602-00000000BC01}41121944C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2a24|C:\Windows\System32\SharedStartModel.dll+b2fab|C:\Windows\system32\windows.cortana.Desktop.dll+a274|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f 10341000x8000000000000000101291Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101290Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101289Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101288Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101287Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101286Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2A00-00000000BC01}2904C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101285Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000101284Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.212{3A00444C-84EF-6086-4602-00000000BC01}41121964C:\Windows\System32\RuntimeBroker.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x800000000000000090511Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:38.997{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50719-false10.0.1.12-8000- 23542300x800000000000000090510Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:41.226{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF2307481D593A106FA4B4E44619D411,SHA256=A0B1C2B5F52D19EA25C453CEC219F69D8A36DF2D2AC293D15178F3EDB8A77010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101353Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.988{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101352Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.987{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101351Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.986{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101350Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.986{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101349Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.967{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388CE36C36A2DDE30065D91A17E5A9A4,SHA256=F8F42FADE001A5F0FAD9AC1E04D1C46493A47BAB4DF69A46D6DA92CE8A82D123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101348Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.966{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86B1178F17B644DF03383B3F773A9103,SHA256=3903821B9584B002FD8375F8395AF15B79215FADB67C0C62B2B0EE81E6F3D693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101347Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.965{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8D1B14E24DA440832424EA9771FC625,SHA256=7632FF02F4C609A5DA6DAD46AEC73F6B198F0AEFEC84FCA516915996412C398F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101346Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.848{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074731EF6FDE9BEC37B45575DCA05A20,SHA256=75A34CBDE5209D9B5367E46CC8188F379E61C77E054EDA6D370B3760A888FD23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090514Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:42.710{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03170723BB53FDD9B3E87B84BCFAE464,SHA256=43DDE7F3985945B4BC5A441B2A8CF3CBA1E12DC10E81842D371463FA4495D686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090513Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:42.460{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F64B0001DD5F12D16A302E88C5F265B1,SHA256=807E10A28EA7F2D59C0D17E617E20CF1E18995834CA3CC3B4972E97540A0E44A,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000101345Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-CreatePipe2021-04-26 09:37:42.796{3A00444C-89E5-6086-0903-00000000BC01}1388\PSHost.132639034619594029.1388.DefaultAppDomain.powershell_iseC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe 23542300x8000000000000000101344Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.790{3A00444C-89E5-6086-0903-00000000BC01}1388ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jmw3xxjx.2nn.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101343Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.790{3A00444C-89E5-6086-0903-00000000BC01}1388ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2hlfj3ao.xd1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101342Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.783{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2hlfj3ao.xd1.ps12021-04-26 09:37:42.783 23542300x8000000000000000101341Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.761{3A00444C-89E5-6086-0903-00000000BC01}1388ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Temp\WPF\xqoy0ocr.ua3MD5=F04A2805F60770668268454EDFC499FA,SHA256=AB3A68D162953659E8C02DBD5C13121DF9DB824D404824450FD38134E32F5ADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101340Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.693{3A00444C-7713-6086-0B00-00000000BC01}624796C:\Windows\system32\lsass.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101339Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.693{3A00444C-7713-6086-0B00-00000000BC01}624796C:\Windows\system32\lsass.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101338Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.675{3A00444C-89E5-6086-0903-00000000BC01}1388ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-1563636\PowerShellISEPipeName_1_c000c3e9-3089-4ae4-9576-0a20b58732d7MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000101337Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-CreatePipe2021-04-26 09:37:42.675{3A00444C-89E5-6086-0903-00000000BC01}1388\PowerShellISEPipeName_1_c000c3e9-3089-4ae4-9576-0a20b58732d7C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe 23542300x8000000000000000101336Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.329{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D3B5034896445145F80B505E6D3FAC,SHA256=B8F86AC6F55FCFF859F374374769A574D99F12EC74852FB2B076A91871B0CB6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101335Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.234{3A00444C-7715-6086-1100-00000000BC01}4761724C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101334Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.229{3A00444C-84EF-6086-4A02-00000000BC01}42924496C:\Windows\system32\taskhostw.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101333Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.229{3A00444C-84EF-6086-4A02-00000000BC01}42924496C:\Windows\system32\taskhostw.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101332Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.216{3A00444C-7715-6086-1100-00000000BC01}4761724C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101331Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.215{3A00444C-7715-6086-1100-00000000BC01}4761724C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101330Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.067{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101329Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.067{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101328Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.067{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101327Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:42.067{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101326Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.998{3A00444C-7715-6086-0C00-00000000BC01}8363808C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101360Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.864{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1E4F9F98E5042FCFE58D2E7890C405,SHA256=ACF9D8BDDF907FEC7BBBEBBFDF0F51B93AB1DCB8DDA1F29B2ACB941590D5C49D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090516Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:43.960{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D966E2FD3110CBE17B85C3F93386C7,SHA256=BD90DC0764D1F575A0A8ACF1C20EACF6E4BFF887CFF403B5D11BB82335F904EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090515Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:43.726{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A64DF3927CACBE73FCFC410AB27C580,SHA256=E26C6EB703F93E8070486966BB1EBBF18136D2AA3F121DD3DFCAB86C5DBCC281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101359Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+133d4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101358Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+133d4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101357Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84EF-6086-4A02-00000000BC01}42924496C:\Windows\system32\taskhostw.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101356Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101355Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.073{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101354Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:43.072{3A00444C-84F0-6086-5002-00000000BC01}47324948C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101368Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.877{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78D512287E52175B0F9427074B6184A,SHA256=1A2D807DE8E0C485418740A0C59F47FD90B941198128F4A1D7A927E18D8876B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090528Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:44.757{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BABB4BF3B5B6F57FB39082EAF22C575,SHA256=38DCCD7B092201C9D04FDF1B46D9BAB0A8EFD7B7569CFBDACA619943E8BB52ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101367Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.198{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D74203985DED4ADDC7D0213E02F3D65E,SHA256=EE18864F09F2D999714B4FC277BE14E226545E00F0BBCAA23E22277CA5089563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101366Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101365Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324792C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101364Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324900C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101363Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324900C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101362Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:44.164{3A00444C-84F0-6086-5002-00000000BC01}47324900C:\Windows\Explorer.EXE{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000101361Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:41.814{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57469-false10.0.1.12-8000- 23542300x800000000000000090527Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:44.304{98176BC8-7727-6086-1200-00000000BC01}1096NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9CD98101F5FF262DAFE341EE77ACAFB3,SHA256=E4D4ABE3062FA70E4729B306EAEA273048FE11187476A3A2F64492960BB742D8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000090526Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000090525Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0049875d) 13241300x800000000000000090524Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73a77-0x6d0bc5d1) 13241300x800000000000000090523Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73a7f-0xced02dd1) 13241300x800000000000000090522Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73a88-0x309495d1) 13241300x800000000000000090521Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000090520Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0049875d) 13241300x800000000000000090519Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d73a77-0x6d0bc5d1) 13241300x800000000000000090518Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d73a7f-0xced02dd1) 13241300x800000000000000090517Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:37:44.194{98176BC8-7726-6086-0B00-00000000BC01}844C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d73a88-0x309495d1) 23542300x8000000000000000101369Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:45.890{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624923D9D6809AC7BE71C7352320213A,SHA256=C0E7EB5F25F1F4FB3A291515856D7705FECADFE83D31803611720E9617C69E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090530Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:45.773{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886D7463C9C70CF166B597BEE710B949,SHA256=C5D3F7BBC33274AE3CD87B7E592D55C74B6D38D1FD21860EBC25351DF1A720A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090529Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:45.148{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4FFF3238A9A298C0E9D2FA938412112,SHA256=ECDC151D6BB4BCE76428C9684426C319FD6CF43FA73CCA9D90016B06F7C8AEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101370Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:46.916{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FECF6B19E2BDC121187B9476F39FB31,SHA256=463A26338E929D4199EDC034F8011695270BB98A1F44E2533D989544C46197E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090533Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:46.820{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D8CAE0B76E66C4C57239803B8D8A2A,SHA256=19AA97DBDD16BBFC24BDD859513327C6F7107FA62DA3BF4CF6BDC875EB691574,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090532Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:44.997{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50720-false10.0.1.12-8000- 23542300x800000000000000090531Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:46.273{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=074664F4E5F1F6BF02212CEE4D11B998,SHA256=C1DDA100E7216A0D06ECDCBF33467BE730B9C00D4EF09397B8E3D651676E77F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101380Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.922{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8F339B679718B147798B42A79A9FEE,SHA256=7D83E5F9634178946C4CC088B60308265F4B7FC99D55007184486653F43BA230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090535Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:47.820{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F9D74A4FB648CF8127004AB1948F3F,SHA256=D822FEA05C54A2FC2CBEEA3288EFEF8D05918A3951F690378B608491EDCA3481,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101379Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.328{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101378Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.328{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101377Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.327{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101376Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.327{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101375Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.327{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101374Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.327{3A00444C-84EF-6086-4702-00000000BC01}42084596C:\Windows\system32\sihost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101373Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.170{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101372Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.170{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000101371Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.170{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000090534Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:47.523{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C3D80990C5545C7A46107EE7636DCBC,SHA256=8E7676BAF87EF2730E756998AD1E9C247529E3926A0067DB70F15A07654124B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101382Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:48.934{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9207D26C6972F67F170F4461C49540A1,SHA256=CD110E9A6658D97894F86B703866BA3292F5748FA46A1958DC17624C66EBFA5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090536Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:48.835{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930AF79CF95E3775AC3D03C39F97A499,SHA256=9CF67EC6A32A19CA91CE9993701BA20923DFEEBD8DE636B175C42DC89CD5E029,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101381Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:45.887{3A00444C-7725-6086-2D00-00000000BC01}340C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local62475- 23542300x800000000000000090538Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:49.882{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2757795347EE2B687C4354C3882C4142,SHA256=DFCBE158FA70CD2D8B3B8A67AB87827CF2746345C98928237F2AEDDAB184FB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101383Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:49.994{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15A951549359A55EFB77ABD2106BF33,SHA256=AC8D1A1DED05A985BA1E263D33B8AAFA95AD3A3BA39191432820710989668537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090537Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:49.023{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E3E067EE7A268F863A6325864098742,SHA256=5A357BEA997F4AE4A237D0E9C0FE81CB17BBEC216402477AA7C87A2E32A8AC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090540Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:50.898{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4C35B55484AE196B3DCEFFFCC81FC4,SHA256=313F4892011DF1AC9BB81EDF5558E563C7B07F30AF8E06F623F629EE9ECD90DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090539Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:50.179{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC3AC1A26CCDCA1449EA3CC62ECBC607,SHA256=A182CBE2DCC7CE520D932DE96F41C1F876EF9C9BB47A70B71922146F4761FE3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101384Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:47.792{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57470-false10.0.1.12-8000- 23542300x800000000000000090542Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:51.914{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5E1A7D66F88331557B36443D1D2BA5,SHA256=5FC58D95D77DD4AB06544E420389D45AABEFED6BDB916AF4830FA389EFFBFD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101385Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:51.007{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183384C7BAAC14AD425CC3EE2F4DE466,SHA256=0EECC61946444B8FD5E9DE9737C60E383D836116EB05A63913E4D17D364AFA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090541Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:51.226{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC0A622071B4688A648FCB2E14FA6F97,SHA256=2496D8CB08FAEC04AF63C3328F08CE9EB2E7DBCB4EDC0E4FB7539DF082D19D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090545Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:52.929{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D901570BE3440DE4222485F533DBB6,SHA256=ADF07DAFDF5F071F7B134795F982ED533AF552D33F2A99435D7F14A1F00CFEA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101401Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.950{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F0-6086-0A03-00000000BC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101400Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.949{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101399Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.949{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101398Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101397Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101396Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-7713-6086-0500-00000000BC01}408524C:\Windows\system32\csrss.exe{3A00444C-89F0-6086-0A03-00000000BC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101395Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F0-6086-0A03-00000000BC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101394Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.948{3A00444C-89F0-6086-0A03-00000000BC01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101393Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.903{3A00444C-7725-6086-2C00-00000000BC01}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C81FA1D267D8190DFD394F0C6EF1C409,SHA256=8799B118458B61BC2BE2C7CCE01ED0BF8DEE56258AADF3EC25E977922F694BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101392Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.056{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=F6E55EBE745A774BC878F7290F9E658A,SHA256=E92D7E83538E4D52B3458EEB762A9AD28C34E2DE72006DA6FCDA8581E5052BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101391Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.055{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=1A7E0C577B6BA6460C3B64D26687B51E,SHA256=836BF67A841A3246B659A46B14A6928BF41A5DBC7A5B5B09ED91AD889E61BA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101390Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.054{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=B671D6C8C9F24CAA942CDA1A5A390C20,SHA256=EA4C5631BE9C4958F42EC7DF1D62F89223130FEEC829278D3BE761006C5DB5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101389Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.053{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=CEB8783DC69C7AC7044297941CCFDF4A,SHA256=59C938E07A4DF6353A694913C9D7AF7525CD0CCE373545F213FF1D70B3ECCDE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101388Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.051{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=48B0104C2CC002EB71849C0EA6FB9453,SHA256=6D3DA70C4EA16799EDE7052D45C97AED2FE80BD8582438C905F73357ED4DB884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101387Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.050{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=B30D3C94A954A915FCBD52323E862D75,SHA256=577A946F4CC459B2D4F2987A4E81D690668FC50372B5F9D34E736A1C7F719126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101386Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.023{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749E6F1E589660249D167F3FBC7463C6,SHA256=E85A68EBDAEAC89CBFB8CDA1A90C2499DED0DA320F20BCAEA1C293B03DED3A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090544Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:52.445{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECAEB2C39E54E613D73B3234D4526F17,SHA256=A05D0D2B2932B5F617135FD8143C460EE61A8EF738715F918646D038DB8122E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090543Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:50.028{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50721-false10.0.1.12-8000- 23542300x800000000000000090547Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:53.945{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BF05A02EEC94692A54EB4EFB27EB3D,SHA256=36F88FC110D1D00CA7892B2B9A8879A11730D97E92A63F13B8694E42E5E503CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090546Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:53.742{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82CF3C163474F50DA8FD329B568C662F,SHA256=AE57731443385803F60C97942A23F9EFD0C5C35072DD069956E60069ECB00D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101413Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.966{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEEB7DD27836B193C43C6C56F2C1E6C7,SHA256=DCC760228F7DDB345743936F248DC9736EAA5B2BA3BA2D68B8AC189E8D5A2298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101412Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.965{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388CE36C36A2DDE30065D91A17E5A9A4,SHA256=F8F42FADE001A5F0FAD9AC1E04D1C46493A47BAB4DF69A46D6DA92CE8A82D123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101411Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.639{3A00444C-89F1-6086-0B03-00000000BC01}8446420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101410Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.498{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F1-6086-0B03-00000000BC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101409Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.497{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101408Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.497{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101407Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.497{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101406Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.497{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101405Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.496{3A00444C-7713-6086-0500-00000000BC01}408524C:\Windows\system32\csrss.exe{3A00444C-89F1-6086-0B03-00000000BC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101404Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.496{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F1-6086-0B03-00000000BC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101403Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.496{3A00444C-89F1-6086-0B03-00000000BC01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101402Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.039{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8301DF09638D394333A121EE5988983A,SHA256=CB29585CDEAFE24EA11283E2968363AD3E44C9319B926888E9B4038E8066C58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090561Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253EF2ABF8755CE183FC50940ACF08F3,SHA256=EEEF6A5377A4899A4CFB393754701FC4A63D5C219F3BF49423A844DD8826547D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090560Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F2-6086-C802-00000000BC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090559Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090558Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090557Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090556Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090555Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090554Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090553Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090552Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090551Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090550Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7725-6086-0500-00000000BC01}628904C:\Windows\system32\csrss.exe{98176BC8-89F2-6086-C802-00000000BC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090549Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F2-6086-C802-00000000BC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090548Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:54.961{98176BC8-89F2-6086-C802-00000000BC01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101423Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.077{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F2-6086-0C03-00000000BC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101422Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.075{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101421Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.075{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101420Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.075{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101419Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.075{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101418Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.074{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-89F2-6086-0C03-00000000BC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101417Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.074{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F2-6086-0C03-00000000BC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101416Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.074{3A00444C-89F2-6086-0C03-00000000BC01}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101415Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:52.500{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57471-false10.0.1.12-8089- 23542300x8000000000000000101414Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:54.048{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE3D1B28D76DC09A5A73C5331818DE1,SHA256=43442D1A4024D034EC29C66B46BBFE72F3305BBCAD564AA7010B04C061D7824F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090577Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.758{98176BC8-89F3-6086-C902-00000000BC01}27364076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090576Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F3-6086-C902-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090575Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090574Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090573Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090572Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090571Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090570Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090569Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090568Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090567Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090566Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-89F3-6086-C902-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090565Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F3-6086-C902-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090564Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.633{98176BC8-89F3-6086-C902-00000000BC01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090563Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.492{98176BC8-7727-6086-1E00-00000000BC01}2120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C81FA1D267D8190DFD394F0C6EF1C409,SHA256=8799B118458B61BC2BE2C7CCE01ED0BF8DEE56258AADF3EC25E977922F694BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090562Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.164{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=051F4E8DE9465F3FA02F81A1ABE8950A,SHA256=8A1922A879A973B7B842A66EA65A1E2AB22BF3CC46EC70BB4AACD93EB542B26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101425Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:55.081{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEEB7DD27836B193C43C6C56F2C1E6C7,SHA256=DCC760228F7DDB345743936F248DC9736EAA5B2BA3BA2D68B8AC189E8D5A2298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101424Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:55.067{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E30FD02EC09CF8986EE83BAF5CDCA89,SHA256=6CA9731C0CBD14DF29EF316D536B9BA5ACC31F2662F6F9446F4377CAA9C65EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090592Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.429{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE9F6B705A96FBE4E16DC37C839AB584,SHA256=6D0C01C4FEBF44511F887744EB0D821DC6E8A672961BD12F04B67937647FC3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090591Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.429{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D786C7C99C676BA748151AA8A4ED3B,SHA256=19A84B477BFD27D09D5F70D542F5880466A2EDA7B6E1F9EF41532AE99E633347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090590Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F4-6086-CA02-00000000BC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090589Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090588Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090587Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090586Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090585Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090584Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090583Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090582Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090581Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090580Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7725-6086-0500-00000000BC01}628744C:\Windows\system32\csrss.exe{98176BC8-89F4-6086-CA02-00000000BC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090579Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.304{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F4-6086-CA02-00000000BC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090578Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.305{98176BC8-89F4-6086-CA02-00000000BC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101437Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.719{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D0001AA4D2BE06FE839DF84C93265D,SHA256=E4FA1BE66A2619495D0D99296B3AE9D324530A11C759342140E956FBCB4C098B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101436Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.536{3A00444C-89F4-6086-0D03-00000000BC01}50366572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101435Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.398{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F4-6086-0D03-00000000BC01}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101434Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.396{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101433Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.396{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101432Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.396{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101431Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.395{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101430Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.395{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-89F4-6086-0D03-00000000BC01}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101429Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.395{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F4-6086-0D03-00000000BC01}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101428Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.395{3A00444C-89F4-6086-0D03-00000000BC01}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101427Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:53.829{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57472-false10.0.1.12-8000- 23542300x8000000000000000101426Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:56.072{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2CDA696EB90A7325BD95294E1BDF4D,SHA256=8E1AC590BA9BFA23E0E6EA9BFD852FE6157404B6D73A13E7344EBF035571A745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090609Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.945{98176BC8-89F5-6086-CB02-00000000BC01}21522204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090608Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F5-6086-CB02-00000000BC01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090607Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090606Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090605Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090604Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090603Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090602Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090601Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090600Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090599Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090598Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7725-6086-0500-00000000BC01}628744C:\Windows\system32\csrss.exe{98176BC8-89F5-6086-CB02-00000000BC01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090597Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.820{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F5-6086-CB02-00000000BC01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090596Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.821{98176BC8-89F5-6086-CB02-00000000BC01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090595Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.445{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B27EE74885E22D9521A6C7BA56D1C4,SHA256=47CA0D25E52F4FCF561FEF1730A877B59B19D61757D033BB2164A9B35DFA7D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090594Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:57.383{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8FFA3AFEBBC222F6FD0E0F92424008,SHA256=F75AB3DD64EAC8DCA9AF6C2E95CA981A7E185A6D65A8DAD0D365DDEDBE858513,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101449Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.198{3A00444C-89F5-6086-0E03-00000000BC01}71201016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000101448Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:55.301{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local57473-true0:0:0:0:0:0:0:1win-dc-841.attackrange.local389ldap 354300x8000000000000000101447Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:55.301{3A00444C-7725-6086-2800-00000000BC01}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local57473-true0:0:0:0:0:0:0:1win-dc-841.attackrange.local389ldap 23542300x8000000000000000101446Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.128{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF788F8CB2E789164F5B074899CB5087,SHA256=E700556D292101FDE969DF4D8F52539D92381C2953807749342E0B6AF37E2F32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090593Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:55.293{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50722-false10.0.1.12-8089- 10341000x8000000000000000101445Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.059{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F5-6086-0E03-00000000BC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101444Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.057{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101443Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.057{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101442Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.057{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101441Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.057{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101440Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.056{3A00444C-7713-6086-0500-00000000BC01}408384C:\Windows\system32\csrss.exe{3A00444C-89F5-6086-0E03-00000000BC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101439Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.056{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F5-6086-0E03-00000000BC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101438Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:57.056{3A00444C-89F5-6086-0E03-00000000BC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090626Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.633{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603A2E4921AF6F7982435B6FBF1282A1,SHA256=4D9C8CA71E1AD61B8F08FC8E45D45B1160AF78E802EEAE0FF25BBEB403A18C16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090625Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.633{98176BC8-89F6-6086-CC02-00000000BC01}3844220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090624Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F6-6086-CC02-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090623Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090622Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090621Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090620Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090619Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090618Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090617Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090616Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090615Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090614Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7725-6086-0500-00000000BC01}628904C:\Windows\system32\csrss.exe{98176BC8-89F6-6086-CC02-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090613Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.492{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F6-6086-CC02-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090612Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.493{98176BC8-89F6-6086-CC02-00000000BC01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090611Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:58.461{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACFC2FF8AC1C7CFC55F4AF95ADE9AEC,SHA256=90C8DC4FF631FE897290B553B61BD4C63854EFCC0E4BA27FB69B742E671DB480,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101462Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.675{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101461Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.675{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101460Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.212{3A00444C-89F6-6086-0F03-00000000BC01}61646500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101459Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.134{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67BAC5A89CDBBFB8E44018085F2B183,SHA256=2C5A81679F39F9CFB93EB2001F96E3176E67EC512740C6087148EA143D77A676,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090610Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:56.043{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50723-false10.0.1.12-8000- 23542300x8000000000000000101458Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.070{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20B43DCD8B1F30C6D288C419DBDC030B,SHA256=D613EFCCF7F5E9A61788D16A1604B1B6C3B19769F72F568E7F67635A64F70CE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101457Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.040{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F6-6086-0F03-00000000BC01}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101456Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101455Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101454Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101453Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101452Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.039{3A00444C-7713-6086-0500-00000000BC01}408524C:\Windows\system32\csrss.exe{3A00444C-89F6-6086-0F03-00000000BC01}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101451Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.038{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F6-6086-0F03-00000000BC01}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101450Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:58.038{3A00444C-89F6-6086-0F03-00000000BC01}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090642Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.851{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDE29C2986E4BE4FBA085A1C834AE5B3,SHA256=1D92E34C16F5D33A68BB43690D2730B67AEAEF2DF1B86137B58DFC63B5CCF78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090641Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.851{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6520EEB85D85BEAD41C8CFECAD269A3E,SHA256=AF692F735DC254D6623A0F84AF4A092F656FD08C5E3DDB4080A28B32A0B70910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101464Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:59.415{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93B727024C95FD37F8AA537040E293CF,SHA256=F56C2C9523F9C6B2181BB3593144BC4198738E8A5E80B491725999D429B439F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101463Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:59.150{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB1D5DFFD9492C8BD4ADE3B2038BB24,SHA256=355026D571A7742F277A07B59DEAC3287AFBD2E99C569ED842846A5ACE1BA036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090640Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.289{98176BC8-89F7-6086-CD02-00000000BC01}25283592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090639Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F7-6086-CD02-00000000BC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090638Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090637Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090636Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090635Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090634Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090633Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090632Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090631Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090630Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090629Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-89F7-6086-CD02-00000000BC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090628Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.164{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F7-6086-CD02-00000000BC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090627Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:37:59.165{98176BC8-89F7-6086-CD02-00000000BC01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101473Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.151{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556C448B00604897D3952BE15B6507BA,SHA256=6FA94876E4FFBDCCCD6A0BB6AA199EAFC690C48A545F0EE09BF235807E7C8A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090656Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-89F8-6086-CE02-00000000BC01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090655Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090654Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090653Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090652Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090651Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090650Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090649Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090648Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090647Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090646Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-89F8-6086-CE02-00000000BC01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090645Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.992{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-89F8-6086-CE02-00000000BC01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090644Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.993{98176BC8-89F8-6086-CE02-00000000BC01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090643Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:00.930{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CA68DBD88321A5C10A1B6DC6DEC885C,SHA256=D42C4C9CD46B16863824308EE75DC4F6328EF8459201C8726D609E7B4A8B1E38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101472Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-89F8-6086-1003-00000000BC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101471Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101470Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101469Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101468Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101467Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-89F8-6086-1003-00000000BC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101466Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-89F8-6086-1003-00000000BC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101465Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:00.070{3A00444C-89F8-6086-1003-00000000BC01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101475Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:01.153{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3BBFD642036FEC38AA2D62D4467C23,SHA256=7BDB3BBB1FDE9FF17FDCCA31AEFE46AD09B77D475EA942A549E4D582077517F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090657Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:01.008{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0842CDE593F3548855ABF119357C4C1,SHA256=EA93AF9359C9833DFF64C002F3922B044E3128DCB7E6C869B03AD6EF3994929D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101474Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:01.084{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F838F0BB5187B5D93E53DF483D8582,SHA256=6A9DDA9D37A3A41358B265432DB7CEB5A21D8621253A40E212990BA374C00943,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000101480Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:38:02.388{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000101479Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:38:02.388{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\8F43AA77-39F2-4006-8A7C-B722E72673C8\Config SourceDWORD (0x00000001) 13241300x8000000000000000101478Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:38:02.388{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\8F43AA77-39F2-4006-8A7C-B722E72673C8\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_8F43AA77-39F2-4006-8A7C-B722E72673C8.XML 354300x8000000000000000101477Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:37:59.832{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57474-false10.0.1.12-8000- 23542300x8000000000000000101476Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.156{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE15899B1A1747DF72A169DB9DF20851,SHA256=F19D77E2EAF1C7941B9A4D90B46285A54EF8569C5E6C1FC10A918B96A665DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090659Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:02.023{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D48D2DE3F6BBB14361697D9865BA832,SHA256=21C1ACE6085A34C1618B66FED703E2E048E19D062E6B201B9D9E5BFFA7046DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090658Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:02.008{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E51F13CC44FB57C080D79E5E8D1AB37E,SHA256=985F1D18E4D185BCE557816D8854BCB7F50FC08534D9BC4EE0B627739049A0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101482Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:03.422{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C87D081DAFCB375C75FEEAC86951CDED,SHA256=B56097C8E93CA8B38A83E4BC41F73C78BCB63EDE1D4F2612A1437C48843A840F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101481Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:03.174{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3496E2F9F02A06F835D0505B875EE0,SHA256=EFE8D8A30FE4A71BD08F22AE594303A525DB7C879AEE335F0A002FF3627D50DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090662Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:01.840{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50724-false10.0.1.12-8000- 23542300x800000000000000090661Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:03.086{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3857FA245AF2D9A0133D0E53418DE1A4,SHA256=239780C88BB5A33BFA4C4005E3898AE9B4CFD5FFAE608EB8F8B3951E55D8778E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090660Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:03.039{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD36D693FD3F1F4A6EC738AAC91FDD34,SHA256=2030CD42468BC11BF0F90889A63FDAB7ED227817B409AFDCF39684E7491A3B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090664Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:04.414{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77AD18852E4E33DF318BB64A94CC05CD,SHA256=65C8F6CBE4845AFE4409D4EB69FC1A88A60CE7707A4E2C75ACF628FE7F97EC74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090663Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:04.102{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CB45562A68EFCBB42462D744DB72B9,SHA256=E8D038450AC93099A06C9FDA4161A20510523CBAEE125D41228CF0049CF0A524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101495Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=7E3581D0664BD928C1D924C805182452,SHA256=50823C452FC2ED5BCBBEF8BE6E002C3C19F7DF6BF3C029AE8EE8DB67C76D9840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101494Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=6F3B44018FCBF0F5F4D9DDF1ED29C4AE,SHA256=4CED94A1A69C372934DC130C4BB13BCF0EBA82D47F2C3B7D35FBCDFF78D30201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101493Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=CE33F4C499E994591C9188201F41E512,SHA256=E86E010D5F5BB6AC4B43B1826CE67DF4CBA311871753D51B06B7067361602C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101492Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=4408C04D5D78D5B930E4AF572FB83E09,SHA256=6A1E8F390385417AF8AB82CF529841D7F49B0608613D7825950F82A58E359E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101491Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=9A5F8055D432B795DC22288BA525B306,SHA256=06057B309E78950EE6FEF0E936C9B3D9146FAE94F1FE845F50A4730041129CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101490Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.963{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=5AED43F0AE64F35216E70A154E61A845,SHA256=5B080A12D8D2496D0BBE2311EA2967E37EE14E69F98DA4060D10EFD178B0D200,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101489Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.007{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57477-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101488Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.007{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57477-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101487Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.002{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57476-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101486Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:02.002{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57476-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101485Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:01.992{3A00444C-7715-6086-0D00-00000000BC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57475-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local135epmap 354300x8000000000000000101484Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:01.991{3A00444C-7725-6086-2E00-00000000BC01}2208C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57475-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local135epmap 23542300x8000000000000000101483Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:04.177{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AFBC973CC30476EE548A4C3BC98315,SHA256=FCA4BD877EE7B6AA678827149E6D184BE6E96D31FAADCB898CF053AC3FD11CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090666Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:05.451{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0783F0B1310CBFFEEA9271C7B98AFC3F,SHA256=6C90092FDD13CB8044AC3A05CE400901E1EA7E420A1E365EF3BD24D64B243E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090665Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:05.117{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3CCFEBA61E66FE54A2E72361197BC2,SHA256=2DD9A7C1F09D4BC7C46B7106F44217446252ED37A0A4DB25AE88114A9C8350C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101496Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:05.195{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D04EEDF6AF7AD19501094D6537511C,SHA256=65F1EFF9E2C85D6869DA23158F31DCCAD6D502B643251509A9B6F274DF51D7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101497Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:06.198{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6CB8CE39C0F0EF62057381556421A4,SHA256=978891309B9391B47692B06FE7473A9763932612AFB791B2F08901D969AA357D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090668Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:06.696{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23D8DC6C74BEC3F8407C855D2199FB85,SHA256=9463733A74EA0232CFFD9BE753BE7E397AD2826A3B4536CA136B94F143F2CA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090667Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:06.227{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47901B4ED99991F7CB1519AF3B4BDA3B,SHA256=03BBF3C580213E667B026D717456873738E51C0F032E161A412DBBC82CC07C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101498Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.198{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F8E76B167A08A3D18FF3C73A486F91,SHA256=FF7E838E20510911B454C9F3E0A8B9C0BECE296E3A62209B3BBE0594A8772056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090670Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:07.899{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A005ED0ACFE953F6D3C3503F214DC236,SHA256=C72936A274CF5E9D7C613CBA50357079D72645031E2240D78680E1396B7D1F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090669Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:07.258{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8874C7C645F91056D4E96FE80B6716C0,SHA256=455485FB0C5746F4C8852C905FF27509C3DB80CEB24B444E211F819B15044217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101501Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:08.367{3A00444C-7713-6086-0B00-00000000BC01}6241196C:\Windows\system32\lsass.exe{3A00444C-7711-6086-0100-00000000BC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000101500Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:05.847{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57478-false10.0.1.12-8000- 23542300x8000000000000000101499Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:08.229{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1A3F36612946F3371AB4A88ECB17D1,SHA256=F8FD5AA2E90219C88FE4E47CE6F1EB5A8F8FE89C9C5DFCD32EA375BF59220C3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090672Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:06.855{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50725-false10.0.1.12-8000- 23542300x800000000000000090671Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:08.289{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C454D40B6E1C203FCD36B878AC04348,SHA256=D9C4C7651BD18ED86D2CA4DAABF0243A51F45374F6A25F91E1E2C65CDFE22865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090674Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:09.305{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA5154A76DD816036E1F11AE60AE609,SHA256=DDE3165929FBC65333BA1C556BBB4D8DE7D9A32CEE17F326EE03974EA688C15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101512Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=914203F6E5ABB8EACB42BF85C3C32D80,SHA256=9A3AC9E29D158249BF04AA5B10AB94ABD41648672EC7C269041817647B4969C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101511Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=4358167FEB67E877439F6D01D5607DD1,SHA256=DDA7DCA4BBDD896D964D83E18F6F77E578C533CFDEF6DD020149DB19870C4A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101510Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=053AE7541CED9A1346FAAD474F853CBE,SHA256=9659BDE4ADD59575AAE3BDAD3CA37D1002E70073FDE764A7D0B0EB0EFAA7E249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101509Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=6B156E0B5624CD46D5410244B1602D9D,SHA256=044532ED598D79B382AFDCD53F3B2F9BF8F8AD60B672C482A367485F3765FAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101508Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=765934BB01768A9D4390E21AEFCC8D64,SHA256=A05F0CED8FA5A2DAB3293749E08B8696D33DEE7C582F2EF61F25DC83A9F1A61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101507Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.983{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=914EADFE8E034152BBFD724FA537212F,SHA256=155BB9CA5E96D082103F4B5C7D6B10BD493EC5E2A5236CCD123361FAD97E6E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101506Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.872{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57479-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 354300x8000000000000000101505Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.871{3A00444C-7715-6086-0F00-00000000BC01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57479-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local389ldap 23542300x8000000000000000101504Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.313{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C51A6BF8088171E9379780D1CEC2869,SHA256=9B7F0108DD98215EB8191A3DB1C2ACC9081BFD3B049E5D4C96533ECB8E19C84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101503Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.313{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BC70721B5B46DBF992A052F429222E9,SHA256=EB7DE768C51768A8CC38F8553BF3F73B2C86BA4ED839158DDEB9767F86E77DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101502Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:09.230{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04B4AD884E8EA67531018463FFA1877,SHA256=288314C2DEDDCC0371470C7C12A63E379913AE6FDF3EBCF2BF1BB7D514035161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090673Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:09.039{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=539D87BA55E9BA34CA9B60B3F4E7E8A1,SHA256=1630FB50619CC372EC1E3D3487CE1B59FA8F9C2198A3C12C4358D78702C2E374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090676Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:10.493{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB689B8FFC3A632A7179789526D3A67A,SHA256=C8D112EF2BD399025E8A63C77E1A4160785AD47B89CB2C3087495E3423331451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090675Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:10.446{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378C6759C6A422983B14A68F1B691FB1,SHA256=1A789D87F4E904335C390A22A0282C6FDA42E0DC5002156A962D321B0A735528,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101515Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.877{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-841.attackrange.local57480-false10.0.1.14win-dc-841.attackrange.local389ldap 354300x8000000000000000101514Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.877{3A00444C-7715-6086-0F00-00000000BC01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57480-false10.0.1.14win-dc-841.attackrange.local389ldap 23542300x8000000000000000101513Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:10.248{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3B95F2BE49D4C84B46F1F9FFEDB06E,SHA256=C627C8A5C42EFF9ED03CC46AA8CB5B0903FAC9EBAB6E86E03C19702F19538715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090678Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:11.680{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4401106C178387B2432F01FAD475685B,SHA256=C7D23F5180939260AFAD01712E3AA62DF004253C191D81A52BACE1B67615A0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090677Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:11.540{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3613AF34689B7107B4803CF009096DD,SHA256=5402DACF1A79A697703C48356A88F942C6837BB45A4B1C8944978A4E2F8B9031,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101518Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.972{3A00444C-7711-6086-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57481-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local445microsoft-ds 354300x8000000000000000101517Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:07.972{3A00444C-7711-6086-0100-00000000BC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local57481-truefe80:0:0:0:b888:c75d:5f28:91afwin-dc-841.attackrange.local445microsoft-ds 23542300x8000000000000000101516Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:11.282{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BB81B85EA70C4BBAB256DBE2E5CAC1,SHA256=5C61787A6FC72C5CC9BEF17BAD67A5F1DD596EF3FA0E81F5823807014014975E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090680Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:12.805{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1565AA04D8306EB519E70681F2A8F007,SHA256=F339D533245F43CD8064B86D9DBEA87B9A234D64551FECCF7B6B60A0E4E5AB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090679Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:12.618{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A90E2F1D07367D4413BE807388E655F,SHA256=ECB38715B514C1B819551FB552FD36C93E9638C2C9281C363A6754588E4D6C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101519Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:12.297{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6111F19DE0E78814113C30D4D7435A26,SHA256=FDC71F40402AFE09669429C5EA6845587A8BCDAE523AD09E773DCE6FCE7C49BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090683Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:13.915{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B997DAE4914FCA139B608DEC9ACEAF1,SHA256=652390A5F615D1DCC628ADE50DFAE326FCA510510F34198E7D34BE1E96156438,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090682Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:11.980{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50726-false10.0.1.12-8000- 23542300x800000000000000090681Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:13.696{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847527B05BD76A88B5C2DA2207CE4799,SHA256=14F2EFA5C6C7E1635725CD4ECF34963F609699444BFA7050D4678DFD07965BA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000101522Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:38:13.544{3A00444C-7715-6086-1100-00000000BC01}476C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d73a7f-0xe0ad81b2) 23542300x8000000000000000101521Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:13.313{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D74711D4AB70004E656C54126F72CD,SHA256=D3040D7FD584D00B746BB427E72F4677492733FCA7D663D54A913BB852022D73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101520Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:10.847{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57482-false10.0.1.12-8000- 23542300x800000000000000090684Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:14.727{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D470074571EDD43ED09E7F2EF0A34B4,SHA256=8E790D357C8FFCCECBB2A47425917306BAFC2E203E37073BD074F99A91736129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101523Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:14.314{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7470EDBA3DBBB7E9789DCE41E6EC83BE,SHA256=81A082110542080DF551D8B494B5802BAD93338E2B2D9613F7AFAE2FDA9E1731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090686Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:15.743{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6687391EBDCDF26DFEAF61998732071,SHA256=AAA20CDE7A20FF3F442D8B6346C17830EB4047CC21CDE09F2070C7F7B1BFD6A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101524Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:15.315{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB4FE34A66472B3F41C1C6399C0952E,SHA256=3AA8035B09658AD50B0FF57F331B0CEA735F3CD928CDEF3310455D42ECFB9C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090685Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:15.087{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC6EEE5E38B8C4D164BE168F89E37A3,SHA256=1E7E3E4FF11E64EF81E26771026E2BB8174E2A1BBFD77560956D9D724F566D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090688Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:16.774{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4D75AA51B7700A0B704156F2C5DF41,SHA256=325EAF67F380B80DCDF77D28B9F6D822C07968BD6AC67B4B37C810EE1E0B21AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101525Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:16.329{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E14EBF2C618C59EF3C2AFCE37E2B7DA,SHA256=0452F48A785813B9326E805A4BF7E1774E9C30FE2DC14BDDBFB92BF4D3F561B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090687Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:16.212{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2490716AD985BDC390157EA9C10CF6F7,SHA256=23DC4AE7A2606BC1D2A995272F7E6C5A66F3BB3B108CDE82E978825DEFF5A02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090690Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:17.837{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A871D55777435FE6CBFF8AB3102C5CC,SHA256=0290A8FD8957D41938F52E69C32244FCE07CE267C390AF6E4934D900756D19F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101526Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:17.367{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF15C0EC80E7510115EA9B29A33F8E16,SHA256=EF7315DF449E192260C88A9964EA103FF7F624E964A878190525F3B7F8C4547E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090689Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:17.509{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B860ACB9E7A9BF8DBB8E8F04C3AA845D,SHA256=47AF08829F464E49120906785BCD8392107B7A01010FCADE80F671405979BC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090691Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:18.852{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8804831A03907FB4519571C3872F735D,SHA256=06AFD959A1D4E2ABADB478C8D2B885F1DC0C6F39F3BA36BE3BD7053FBA3ADDC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101528Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:16.651{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57483-false10.0.1.12-8000- 23542300x8000000000000000101527Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:18.382{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F531D81A841338BC2F9275F8ED566E36,SHA256=C45C4614DBBF51534F5E618D15CB90AAB244648395EC3A64E2A6784DB4E16EFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090694Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:17.949{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50727-false10.0.1.12-8000- 23542300x800000000000000090693Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:19.899{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A62A4430DDF2C4233BEC8149B27158,SHA256=A223D7766D969EDAAE4E1AD385F7EF7FD60C1844145AA5335638D15DB766E736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101529Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:19.384{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD30C88AC03160CE3404924CBD11D165,SHA256=A516435B95694E894D4A2D8DD091C13997FF28658DD552DA89B9B6E8E716FCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090692Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:19.009{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE12DA5A086F5C36BEFE9E27CD35F0DD,SHA256=9E6EFBAB64FED091064668C12636680BB20D1CD0D73660869C1A6C88550BB511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090696Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:20.915{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF1DB66B70F12977FC6CF8B3D770F2C,SHA256=41E5B430F5DF222208DB842F7C09224FD975148C97ABE5470247098AFCD6AD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101532Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:20.398{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA34A9F75CE39D65169EEF5D5DF89275,SHA256=67765F9922CFD36606A2C0826DA89890FC4E22DBC6E80B15BFE06382E8E407AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090695Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:20.087{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E20DF1CD306AE80F9D5D8907426AB42,SHA256=C220DC449249DC43F62CEABBFAF78356612002B5927061C5B91982AD88D952EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101531Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:20.099{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=650327C91BA4E4BBEC28D691D5764686,SHA256=7149486247B1AABDC3D6AA9CD83F4C8E4F2EB8B73FD6B38DA5D8DDDD01FC3F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101530Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:20.099{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C51A6BF8088171E9379780D1CEC2869,SHA256=9B7F0108DD98215EB8191A3DB1C2ACC9081BFD3B049E5D4C96533ECB8E19C84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090699Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:21.946{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7267982B4B5D9F06CE85889B79FB3031,SHA256=5B67837664DF2EBF663698594CDFE1BC7C41C7F27BA0B087B1807282ED23BCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101533Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:21.399{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D6EBC7A463F8A26D2B3F070E59B2F3,SHA256=E9167F501DDD7D459846231A3B174C93C6D10C701577B4C3C84EA9AA0368224A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000090698Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:38:21.493{98176BC8-7727-6086-1100-00000000BC01}1084C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d73a7f-0xe56a7b5a) 23542300x800000000000000090697Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:21.274{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8312BD6881F8DAC9200FFB64B905EA81,SHA256=18A57640C1429A4F167A6FF7D7A41D914478D1911DAE08B798252EB6CD82730B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090701Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:22.962{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC2619D6ED13BEEC1779674DB7A623A,SHA256=CB31D660F08481AC865862DD3F1FF958A62AC19D63B5CEE33D7BB9A3A175343D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101534Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:22.430{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA849DD27B98914966E11F4ABA26C1D,SHA256=5E59D56020A331C71F6FC3118B46FB9D3D4A3973BFA9FEC098D19AC3523B82FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090700Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:22.353{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBC66C3C3142BEE10E5ED890029B18BE,SHA256=F4466E21973510D7318BF8A1315E5620B38E7DD33FC2E84B343515606BBF716C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101535Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:23.431{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BC331013BDBE2B542057F7F89C61B9,SHA256=B33A0E7C0B5A87BB8C8089D3FF86871B1CF6BE51E461394F1161A2D45821A830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090702Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:23.619{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4645A6848D3F04DC3863D31730EBB73,SHA256=93172A945FC101747839249180DB3456CDF24F803B4ADBED09D781A6324DC585,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101537Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:21.685{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57484-false10.0.1.12-8000- 23542300x8000000000000000101536Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:24.467{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EA66F61ED8A9FAACAB6CA7DE88E915,SHA256=77A69FB145B04021F3A26E65D3EDA57CE39BFBF468980E5C3809178417BA0E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090704Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:24.853{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94E56817088D1765218DE0F57179CEEB,SHA256=6870FBABF803DBF58C2E7B69AA800522E2A109BA9B96D7D6BA80B926E0294867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090703Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:24.025{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45D0FC8FBA9B3E5A77F3221D3A3AE73,SHA256=D1EC408B7A7B8E6EC617B2A81CB349004A7E2B2D40549534B68C36035DB34E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101538Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:25.468{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6301DCD624D02FCBEA9558DE34D507,SHA256=E54BBFF5070C47E2ECB3ECD971AAE4AFC4620D3884AB99BCE27B144A5E69D719,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090706Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:23.948{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50728-false10.0.1.12-8000- 23542300x800000000000000090705Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:25.056{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448FC238FE2FE64C9D7A80741419D63F,SHA256=61E7A4FA430EEEFAEA0B239E9537E0C8E7431665C3F2D81AEAED3265DBF59F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101540Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:26.468{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4014FA02B1309275FCFBB49E1D53A003,SHA256=D7B6409FE9256F518408B77DC08690A7A25BD747E76D4BD9C45220271EE6913B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090708Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:26.259{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBF9FF93B5B44D939F89E8B2DD3C16EE,SHA256=509B671984B9ED3D405F51BC10194F368C19EE9A4D1F72A52E7E01596F36A75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090707Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:26.088{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7D98122BC22EBC45810ABFAB9E9979,SHA256=7434D8B1AA011267F853C9449D6C33673E69752D8A0CAFDFB4D2D863BC85817B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101539Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:26.268{3A00444C-7715-6086-1200-00000000BC01}612NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6935353FDFEB6998B5B09E6AF2D02EDE,SHA256=664A20E30AC3E94A5E74CB0C77F985F87FE759ECBF81AD82CEB6D44B3CC179B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101541Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:27.499{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50168B9A1B6A09B4CBE98E42799E0A7B,SHA256=F722C9443609BD071F7044D844B99DCB6BF1AC44B373B99C8BF9DBBF4A1E7E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090710Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:27.431{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA2788A6660C84DF431E9FDB431F291F,SHA256=FAD91A47DAAB6F39B8B2AE23EDE40A51F00E6E4AE97D7624994FF663679E5C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090709Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:27.119{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAD05C019AFC4A18C0075DF19798BFB,SHA256=A49A043A2EBD0DBC533D9036D7C72FD0265F635669F9C182F356BA0320EB0E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101543Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:26.701{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57485-false10.0.1.12-8000- 23542300x8000000000000000101542Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:28.499{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AFA1D01E298BA495EEFB0BF0A1E1F5,SHA256=4168611D56565340112D7CE26A2C9A4452E1FA95E7FD583C77B189BBBDEDBA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090712Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:28.635{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4973A78E4CCBBC6FBE472F877EE5FA4,SHA256=494E3531F9251C28D7D06589419B25235DA5A3928EB1EC2EB52601DFF3B77590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090711Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:28.150{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3062CF4DE874BA45612D2964AA0D8723,SHA256=8BBB4094A7F21984DFBF20AA0653DE862125AAD1D927D29BDBEB5611027554EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101544Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:29.552{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1420FBD7D54EB23103EFEBB7C88968,SHA256=DB84123F7CE3B3E5903016EA7D852113410BEB201D1F15C25F372759B451BA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090714Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:29.713{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41763D713CED5F9F85E6781FC98D12EE,SHA256=7F7DA5CBED71FF795F208BA18AA317BD91DD98A47BBCEFDBB245DA93505246E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090713Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:29.228{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F226765AD62D54DDE8928DB1704421,SHA256=3A44F2169B5D0C714325BC3A4589BC737DE490B47546A62727A78D30FAF4F659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101545Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:30.568{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8947798BCB38A3CF8FCD9A704AC92DCE,SHA256=A732BA5929EFB765A3684F8D6ED3D7B1A87F0CF022515AEBDEEE5EED0E16A11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090717Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:30.994{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=962E5B31335CB127E48D76397CDF3A4E,SHA256=3EB1C4D37F72C25D3CDD22969D1A6A78D8AA32CC415CC3EAF7E05967A3FD63F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090716Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:28.995{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50729-false10.0.1.12-8000- 23542300x800000000000000090715Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:30.338{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC252627BB594DB4ACD1D6186C82E3D,SHA256=25ABFE51CDCEB6DFEA7E6F33B86FA1399D99F7B2EFB8260D81781C1CC208178A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101546Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:31.583{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C9954321D6015636AABEB65C478254,SHA256=9C448FB1B54121CC5710D869D577362363FB6ACAC567EE10FAAAE0E91909EF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090718Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:31.369{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9CEA442104D28F3963CE1421253F35,SHA256=E95C03C7193386EA37AAE8D25BF8B7C324329325A079F080EE428F9D35B75371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101547Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:32.584{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62F9155F259C46DAC85DC4F97D52A00,SHA256=55DE3F1F036DD1DAF122A0CD383C7557907EAF6C2F7853A15836D1FD226407AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090720Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:32.432{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DEB7E81601AB29CCF5B3F6BAA716D7,SHA256=B02579721D630E3C7D8761CE72A306580870ED0567191181A92DA62CFE64D82C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090719Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:32.213{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78E412ECD7038FB2995777C325BEE3F7,SHA256=C8404B4F8BFB5AE907B8F0514B473A1334BC32473CE7400C7FD6C366928884BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101548Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:33.599{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5CB7361993345AAEA04E2BB8F5FBAA,SHA256=E3C911DECD26F003FB97B31F77D5B8235AF848AAC0916652CE4F5A02C1EFDA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090722Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:33.682{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75FCC0AFD9D08FFCA5C5E84ED0BB382C,SHA256=EB80DF66410610CB21A4531F253CD02B632340A8555D13782D9A600616169E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090721Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:33.494{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3879E1544442A5D7B77EBE05CF9289D0,SHA256=D28EADD97FD65A9F3D56F41486072E0F44DE2E9E2AD231702839F8268A62D131,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101550Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:32.747{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57486-false10.0.1.12-8000- 23542300x8000000000000000101549Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:34.614{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3FD1DB723253AF47671030060DBE91,SHA256=1DC6D468885051679FE13A9410CE4B90D77C7FAC15A12468FE7CF9CB014E37E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090724Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:34.807{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73D73E37741D61F0E398B98E626CA73C,SHA256=6D38F9FEF7F68766752DFDEFD4E3F4C8631D91C5383733ECDCD3609E40BA7C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090723Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:34.526{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07495F73472D072E04C40B3081D16093,SHA256=45EC1A6049BEA06DB49891BC6BFE49F236DB51A93A0B971884F3C7DE2FA462BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101551Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:35.615{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA197756F15870D137D8FA11A74E7A0,SHA256=3705415A98FDC834C005DEAEE7743354D75E791160C3D55178843DE174A97DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090727Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:35.994{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95CA82AC89796192C25E27763E6AD04E,SHA256=B06A474CA8C5952E75EB90D5C7ED6BCB044B25E20E914CA0F82973C647324ADF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090726Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:34.011{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50730-false10.0.1.12-8000- 23542300x800000000000000090725Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:35.541{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9814398039706154D6BF87F5FCE15174,SHA256=AFED3A8ABC43F85E85BF20CCAD0E88F72F8DBAC53F122364A0D2878B898D2E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101552Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:36.630{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B769B03F05E960D37B38E0830D611AFE,SHA256=F9BD812220FA88ECA2555C5B5DB3F76D6CC84E5B0A08E64B6E0DCB87EBD1D560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090728Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:36.557{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3881D036E2FF2C0E15CCF2A3B34C4C9,SHA256=2F73E866DFDEACB6257C1401BD5519F5197178F5044928B9BD4F57E59AE2475A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101553Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:37.631{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6581D8043F7F8219803A16EC800966B,SHA256=32CC1A9AA61E863166915D5AF09E2645EBE351917E41DCCFC4000CD8885A1D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090730Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:37.572{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD48D3AFC7948218E6D3F0833280E13,SHA256=F51E62E0EF30F9EEDF95CA7870DEE15B6D75D1F7ADA608DC97AF3329032A01AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090729Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:37.213{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCA6C4D4BC5E8382B987D5D6817F2562,SHA256=DE0D89D608517EB2F8C5BA38079E2CDAD53385C7735E39BC954BC5C1F80E7897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101554Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:38.647{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA53C7F90DC317DACE02EBF5C102C81,SHA256=BC8F1BE30B78E1C92A2453D03EF536DAC8E84BEF3AF7CBF4E0B1118E62C3CCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090732Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:38.588{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A72EC682BD77E4672C9F4691966231,SHA256=1E0D7560C837FFA0582CAD2EF73EAD20EF0BF76AEAD62C9791EE6E74FF43CEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090731Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:38.479{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=390E5A03F18CB95F7ABC68B2A353BA8D,SHA256=62FE13891E2AE4ECD0176FFAA4F2161783896AE3271AF2F0061602488D34CB21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101556Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:37.769{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57487-false10.0.1.12-8000- 23542300x8000000000000000101555Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:39.668{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855672054C1248E27EDC99D183FDB434,SHA256=153E8E9434DDD3BBBC39DDD2AE71FA7DAD78F04E98ABD867BA212704DE304991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090734Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:39.854{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1CBB21E8A77246A4B815FD1ECB2ADA1,SHA256=30A672A0AD2F7626A71D85AFB62F4E061317081EB9C86B7D235BFFD4002FDEDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090733Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:39.604{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7426CA528D054A5B6FBB8E36D9EEA6,SHA256=BA3D2DF9A64200C9E8D460132C67E7760F70DF889C6BB9FFE2C71A036912B6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101557Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:40.683{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E6F279180CB9FABB90FEC97970E42B,SHA256=243C15529406E9D3A7BB7A5B91C261171B996634156B54830F659F3764D3388A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090736Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:40.963{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DD474EB6E4D42A4092452E7D14007B1,SHA256=C85EBCEDB5D56BA04AF573F7B1E5F6A2E6C1C9EEEF8C5ABCF30A1CE615689CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090735Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:40.620{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F6D9783FD905B8FB840EA1F1648CA9,SHA256=DCA8EC20556394C3E867D08A5F5D8AF2D9BAD34FE0D41A37A5A79FA35409974C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101558Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:41.683{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C486DB6BB4987731EDD171CD5AD80D9,SHA256=8EA9CD5E07DE550140CFAD93439AB5467B5B9A18A8B6A57223B254AB107495E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090737Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:41.635{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D635F9B9876A3AA0273AFAF1EFC3FEB1,SHA256=1B90A5DDA6C86A955CEA98228D5A73F167B39D59DD57E4AF56F8D9F5DC7B44F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101559Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:42.699{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F22A0E01F3A7FC4643862AEC8610BAE,SHA256=265848C637686DBB76E6B5E15BC27F0B0E68CC68389E093C96B58C25D4DAA952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090740Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:42.666{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47B73E157FBD8FF4A343819EE1924AA,SHA256=58A2BCD7BCC3FB452FCA97A6898C1C53CB42A2E1A7D6E2CFB8E77315E3A6403B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090739Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:39.870{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50731-false10.0.1.12-8000- 23542300x800000000000000090738Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:42.088{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE8931C8ABD8028886DB8EFF3E20E3FD,SHA256=00AF46915DECEF392E52650038FA46D590EC90E6D1686F659362E32EAD11E184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101560Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:43.699{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6505363BD4A96EA87BE6E41547B1B9,SHA256=C6828411E86C1045319ECE1877AF261CCFE39EF68712F84D704478A0A19857B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090742Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:43.682{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA98B38C726DEA7ECA4BC038E779E2D,SHA256=607E4338195B8DD8FB4C11EBD42C42A2B2D28F51C46DE05CBA65DF7AF31064A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090741Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:43.338{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F8F16A5E52B8712EE984A7B58706714,SHA256=8E4F9E86315E58734C9B7C8B33B7C76FAF3473A393FBFF5DEF615440DFF53613,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101562Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:42.784{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57488-false10.0.1.12-8000- 23542300x8000000000000000101561Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:44.723{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23251A9AD4A9AB3FB163A6C6ABC086E6,SHA256=6DB647B2A11FD538DC729252BBC160F6001F0814283BDAB1A2D7CF803802272C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090745Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:44.854{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC228786DAEB981539AD174E7E011482,SHA256=E49983BF3EF0AEE3BCEDF14503F059BEC9AE48424F63D0687AC5CF1D3BD15A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090744Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:44.760{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4953970582C11B798C9604B5002E3C,SHA256=DF7E8F3B6EDB16A9A8F62D3743FA5F9C665E80D5C4FE8A729B0C96C38E3CDEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090743Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:44.323{98176BC8-7727-6086-1200-00000000BC01}1096NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=411EE3B71B0D1C66A9C5FEFFB38D6270,SHA256=42234B2F49CA919E8E6CF330D0646B19127294B780D7A3657063169353EB1CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090746Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:45.776{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA65603E0D772A85F19CBD6DAEA77D41,SHA256=354B2EA8B7FD323F4C1CC96A6150E8EBB3817FF81ACB2F1FCFA49379E8A7F024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101563Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:45.730{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C02AF56B537AFB2529B96129CF3C73,SHA256=253580DBD440D7EE91AD26A462537B6DC96208ECFF3DBEE8283C5B4C32A1950C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090749Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:46.932{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83582FD95A94392AF8D8B96235505D4E,SHA256=A8E5E875FF3532DE82D154B1EB7AD6916099F0FAEEC147F0A055DA7152F9A3F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101564Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:46.731{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BE98E314FD33EF1B691328E1FFEB40,SHA256=86304520828743F7F19976EAE64E4CFF7D070EEC3D2F03C880421BC6BBF82020,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090748Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:44.870{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50732-false10.0.1.12-8000- 23542300x800000000000000090747Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:46.057{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D4B7AC69F82E4E5158FBC8BADD63AF1,SHA256=A9983525D23FA55B30AD5618C08ECD8EDD283B7895E0B721A331939AC16D91A8,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000101568Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-CreatePipe2021-04-26 09:38:47.952{3A00444C-89E5-6086-0903-00000000BC01}1388\pipe\pidplacesomepipeC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe 10341000x8000000000000000101567Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:47.830{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101566Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:47.830{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101565Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:47.747{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3C994A54D617C0A5E685F1C1724770,SHA256=9F94AB2DDB9B8CF515E02E0A226072DD91BC9AD8A37AEE6D5E7514EC6258A34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090750Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:47.198{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A9A34D7C42DA2F0172D6D498A0D4B8D,SHA256=CFED5F11A494374E0AB15C246A12C08F323B0ABCA26BE0A915316A4D8CE4510E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101570Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:48.968{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=29197BE2284520BE81CAC3BBE7797DB4,SHA256=93234FAD63843C8BB82D7E0EFCAD66EB6926DCDC2D4EC3B839E9E23EB98ADAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101569Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:48.767{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECCDB65E512FD2546C2DAFB4B5CD63A,SHA256=E01E4A7A2FC13A3661017CA8C1F825F2560BCEE3844EFAD5B6269A90959E6BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090752Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:48.276{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1087853EEF45B166EAC5E78A5AE5A2A,SHA256=9FB13C386B08B8F570A2E5274DA559675B39EAE4A4E7A688CBC0EEB0D9893DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090751Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:48.010{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F408679C61B3465494B581229AFC7CD,SHA256=EA698A571B88D55D046990F644C5B86F782D9432B8107606134A7B4E747E76DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101572Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:47.785{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57489-false10.0.1.12-8000- 23542300x8000000000000000101571Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:49.768{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C7FA829A5EA95521019405D88788E6,SHA256=701E7E5EAA591550C989223B561C6E443AC9F1BC5B2522B95F4B884AD4480881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090754Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:49.511{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E4FA8989DDC251F7AD3FD9DA7894937,SHA256=7B30D424A2C1CD738916C6EB64052FE1D549D5574D5C452D2B91A4966D4A31A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090753Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:49.042{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F14D99D785E69133CC7B81780E0E11F,SHA256=702B9F5149BC85182853E54B9EDF1F91ACA838604A9FB711FD7105752C8B24D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101573Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:50.784{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64148C2EA75D520007600C48CA75020B,SHA256=F980DF46FF6E07A19956438B65A111E79996BB4C814D02B667F8869F03503FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090756Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:50.557{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B1B117C2FB1EFE1923871B842615350,SHA256=870A7CDF9A0CF11B9628CC06AFD1A9927A4B9ED5D22CA469A5C23FCF9F2E04A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090755Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:50.057{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8392D3B462BF3A216A4F6C0D0B7056,SHA256=1F0F6E15E179BCE60E1A48F6645F9F45E5F656B3480E1314D36FD624CE0A9B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101574Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:51.799{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57562BE1B5B63D14ADB5F18B56F2EDA,SHA256=92186E1350E188A960E05DF7C3D0F206CD7B6ADD99BD4EE1048CC674338FE138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090759Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:51.839{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEF3DBE43A52F6941BC416118A3ABFE0,SHA256=4E83BD94E259D2C3326A892B47A6FCB6A4212663FC5634E80601B978AEE9BAF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090758Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:49.916{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50733-false10.0.1.12-8000- 23542300x800000000000000090757Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:51.104{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5837EB5E33A641D82DC546BF207A00BB,SHA256=A6F7C6D2174432F55F61EE628D22477BE7C40D87E57740CB9940EA948FC2B578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101584Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.984{3A00444C-7725-6086-2C00-00000000BC01}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C81FA1D267D8190DFD394F0C6EF1C409,SHA256=8799B118458B61BC2BE2C7CCE01ED0BF8DEE56258AADF3EC25E977922F694BDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101583Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.915{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A2C-6086-1103-00000000BC01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101582Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.915{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101581Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.915{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101580Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.915{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101579Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.915{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101578Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.915{3A00444C-7713-6086-0500-00000000BC01}408524C:\Windows\system32\csrss.exe{3A00444C-8A2C-6086-1103-00000000BC01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101577Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.915{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A2C-6086-1103-00000000BC01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101576Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.916{3A00444C-8A2C-6086-1103-00000000BC01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101575Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.831{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E4C07B232871F13ED2E44979FABFFD,SHA256=B2A9D83B0C81422BA67741B20E6ED22FF40002231D05803BA7EFF4B925D2EF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090760Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:52.214{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76359F8FAF4C440D0AC877B421020887,SHA256=E440015E7B4698BFB0F6551345C98803A6B4576D16D3FC76CB5C539FC816FBEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101596Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.930{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D171B400381688BC73E0D84402089B,SHA256=6BC87E095D979E09121D540EB26FC81DB10E9AF3A828148E09361C00A26DCA30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101595Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.930{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=650327C91BA4E4BBEC28D691D5764686,SHA256=7149486247B1AABDC3D6AA9CD83F4C8E4F2EB8B73FD6B38DA5D8DDDD01FC3F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101594Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.852{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B6B227804BE524D4EC53A45B0E343D,SHA256=86B964A7A0587ABDD7E33A70B66B50847528943BC8A216BEEBBA01D1459FE5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090762Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:53.386{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D30A4A059BC8984065BF12EEF0A5E67,SHA256=9CC650CD03250CA83AEE000F5CAEB3572A67322F01EA7EED3BA047241DEDD184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090761Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:53.229{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94ED7CAD7515FBD001354F4DD5538FF9,SHA256=D54A2C5D0FCBBCFF7E751F5458AE8E926BC5246291CE30C009A348FFB6E44E0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101593Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.714{3A00444C-8A2D-6086-1203-00000000BC01}61846548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101592Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.583{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A2D-6086-1203-00000000BC01}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101591Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.583{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101590Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.583{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101589Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.583{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101588Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.583{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101587Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.583{3A00444C-7713-6086-0500-00000000BC01}408524C:\Windows\system32\csrss.exe{3A00444C-8A2D-6086-1203-00000000BC01}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101586Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.583{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A2D-6086-1203-00000000BC01}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101585Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:53.584{3A00444C-8A2D-6086-1203-00000000BC01}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101605Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:54.868{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273EFC14EBCE8592C187E86ECEEA414,SHA256=BF4B1E0E5A763975BB08F7979E71C6228DB942F57DC92BC4C9E60D4A4361BD54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090777Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A2E-6086-CF02-00000000BC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090776Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090775Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090774Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090773Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090772Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090771Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090770Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090769Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090768Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090767Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7725-6086-0500-00000000BC01}628904C:\Windows\system32\csrss.exe{98176BC8-8A2E-6086-CF02-00000000BC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090766Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.964{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A2E-6086-CF02-00000000BC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090765Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.965{98176BC8-8A2E-6086-CF02-00000000BC01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090764Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.511{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEB62EAC135CED4947938DA70B4B7447,SHA256=2D9005DD8457A7F4561E7DF447AD41828D2888ADE0CEC09253269BE35F8B4BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090763Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.292{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A5BE9C6AF3E29429612AEE6B8AAE40,SHA256=FCDEB82332C2523CBFBE768531A5C5580732AD4C8C4BB08D228FCCBCDA03DED2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101604Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:54.250{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A2E-6086-1303-00000000BC01}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101603Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:54.248{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101602Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:54.248{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101601Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:54.248{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101600Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:54.248{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101599Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:54.247{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-8A2E-6086-1303-00000000BC01}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101598Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:54.247{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A2E-6086-1303-00000000BC01}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101597Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:54.247{3A00444C-8A2E-6086-1303-00000000BC01}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101609Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:55.884{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5711F7DF40EBBBEE0C61A8BEAF7D06B8,SHA256=963504AA2E6B8A0B169E89B267D5C2CCD1353724C84DBA79A41331CB710401B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090793Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A2F-6086-D002-00000000BC01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090792Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090791Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090790Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090789Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090788Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090787Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090786Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090785Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090784Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090783Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7725-6086-0500-00000000BC01}628904C:\Windows\system32\csrss.exe{98176BC8-8A2F-6086-D002-00000000BC01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090782Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A2F-6086-D002-00000000BC01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090781Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.636{98176BC8-8A2F-6086-D002-00000000BC01}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090780Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.589{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B065525CDAFD29E845A7B57CD2E164D,SHA256=6E90A71FF3AC5844FE92760DDDC582A721ABD06AC2C8B160BD4C203FD30A3AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090779Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.526{98176BC8-7727-6086-1E00-00000000BC01}2120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C81FA1D267D8190DFD394F0C6EF1C409,SHA256=8799B118458B61BC2BE2C7CCE01ED0BF8DEE56258AADF3EC25E977922F694BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090778Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.339{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DA674A3EFD3C54DB0598FF05FE21F0,SHA256=14EF0BD3389932B6BB2680100A204193B67EFA7EB57F1C1EEED6763FF89F508E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101608Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:55.284{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D171B400381688BC73E0D84402089B,SHA256=6BC87E095D979E09121D540EB26FC81DB10E9AF3A828148E09361C00A26DCA30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101607Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.831{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57491-false10.0.1.12-8000- 354300x8000000000000000101606Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:52.517{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57490-false10.0.1.12-8089- 23542300x8000000000000000101620Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.915{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99C844862E5975F684339CCCD81E1A2,SHA256=2D658EB9AB9B59E22379EF16577157C91D1FDC79B29FBBA04A32AEA80A0257F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090811Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:55.322{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50735-false10.0.1.12-8089- 354300x800000000000000090810Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:54.979{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50734-false10.0.1.12-8000- 23542300x800000000000000090809Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.839{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D768486A8F536C240D54A2D337CBCDD2,SHA256=BF3E055DBC1832D9276842232F7226FC813AC98199274F2E4696BA49ACB937E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090808Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.839{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25240F4C3E3998890B83FD68794329F,SHA256=693C79128EFF3FDDD206D365354E7F84B73CD428B6A1FA55D15DFFE8D691C343,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090807Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.433{98176BC8-8A30-6086-D102-00000000BC01}27401792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101619Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.715{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99005F3E027B320313AD8001AF308700,SHA256=75010BC5E6B4EBA1A55C362DBCFA42F6CEC365FB83F9160C5FE729C653F6B341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101618Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.530{3A00444C-8A30-6086-1403-00000000BC01}64441988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101617Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.399{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A30-6086-1403-00000000BC01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101616Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.399{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101615Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.399{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101614Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.399{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101613Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.399{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101612Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.399{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-8A30-6086-1403-00000000BC01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101611Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.399{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A30-6086-1403-00000000BC01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101610Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:56.400{3A00444C-8A30-6086-1403-00000000BC01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000090806Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A30-6086-D102-00000000BC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090805Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090804Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090803Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090802Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090801Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090800Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090799Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090798Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090797Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090796Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-8A30-6086-D102-00000000BC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090795Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A30-6086-D102-00000000BC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090794Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:56.308{98176BC8-8A30-6086-D102-00000000BC01}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101632Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.915{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5BDD715837D1F5E4C60A0432A2E81E,SHA256=6D961547A0DFE1AA14BE65715ED49C920A1EA0687D0E461BF7F9B477C21A37B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090827Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.964{98176BC8-8A31-6086-D202-00000000BC01}35764048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000090826Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.870{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E524CB7808EC6095FD025D36B94D4F7B,SHA256=8DC10F35F747DBF40FC07D0856F360BEB8DEC3AE8F956B95DD46563CDFB91994,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090825Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A31-6086-D202-00000000BC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090824Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090823Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090822Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090821Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090820Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090819Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090818Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090817Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090816Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090815Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7725-6086-0500-00000000BC01}628744C:\Windows\system32\csrss.exe{98176BC8-8A31-6086-D202-00000000BC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090814Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.839{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A31-6086-D202-00000000BC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090813Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.840{98176BC8-8A31-6086-D202-00000000BC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090812Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:57.448{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABCEE24FC88EF4843DD383D43C390D6,SHA256=7C0114BB58AC807D56B293CD6ADDD6435C87B2DE0ABEBB2529B951720B03C299,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101631Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.214{3A00444C-8A31-6086-1503-00000000BC01}6628876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000101630Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:55.301{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local57492-true0:0:0:0:0:0:0:1win-dc-841.attackrange.local389ldap 354300x8000000000000000101629Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:55.301{3A00444C-7725-6086-2800-00000000BC01}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local57492-true0:0:0:0:0:0:0:1win-dc-841.attackrange.local389ldap 10341000x8000000000000000101628Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.084{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A31-6086-1503-00000000BC01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101627Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.084{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101626Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.084{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101625Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.084{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101624Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.084{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101623Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.084{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-8A31-6086-1503-00000000BC01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101622Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.084{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A31-6086-1503-00000000BC01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101621Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:57.085{3A00444C-8A31-6086-1503-00000000BC01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101643Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.915{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9E2B82DFCE10ACC0C42021A01EDA95,SHA256=F12AE9E53ABC418DD892625B1FB32073A11F527EEE21063A4E982BCAF502AE5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090842Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.652{98176BC8-8A32-6086-D302-00000000BC01}1722652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090841Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A32-6086-D302-00000000BC01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090840Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090839Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090838Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090837Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090836Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090835Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090834Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090833Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090832Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090831Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7725-6086-0500-00000000BC01}628904C:\Windows\system32\csrss.exe{98176BC8-8A32-6086-D302-00000000BC01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090830Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.511{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A32-6086-D302-00000000BC01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090829Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.512{98176BC8-8A32-6086-D302-00000000BC01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090828Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:58.464{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9696AA7E185E560C2EBCC0D3E2998047,SHA256=39F7F5E128D5B611A56A653D2AA1D56DE1B971FAA7E26EB940E463CBEFF241E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101642Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.183{3A00444C-8A32-6086-1603-00000000BC01}64844268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101641Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.099{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C26784F254A517C8DE63C9D3ED00E4D1,SHA256=58903D83DDA7ABE8C689362AA47A0626143EB7BFF35B2B44BE251DFEE04DF4FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101640Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.050{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A32-6086-1603-00000000BC01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101639Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.048{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101638Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.048{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101637Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.048{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101636Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.048{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101635Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.048{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-8A32-6086-1603-00000000BC01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101634Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.048{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A32-6086-1603-00000000BC01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101633Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.047{3A00444C-8A32-6086-1603-00000000BC01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101644Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:59.948{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2E94B2ADDCDB611F87FAACE8F0B67C,SHA256=5028F81AB9A1C091C8724909DFFF79DF13D0EF387745076E23851AFE3D172917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090858Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.511{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356F88517DF415698917E1CCB8B61FD3,SHA256=7C0F7C75B106C7A8E0C70C8D78887A6D02B9C53D1A0977286BF84887CAFD7032,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090857Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.308{98176BC8-8A33-6086-D402-00000000BC01}28603040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000090856Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96B87453FAE9342BFA2F2F4A1F16CB64,SHA256=325091435B2E993CC6CEBA4B412AD21C125DFF20A1998505F63EE3A211F18B56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090855Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A33-6086-D402-00000000BC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090854Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090853Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090852Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090851Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090850Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090849Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090848Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090847Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090846Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090845Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7725-6086-0500-00000000BC01}628744C:\Windows\system32\csrss.exe{98176BC8-8A33-6086-D402-00000000BC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090844Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.183{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A33-6086-D402-00000000BC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090843Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.184{98176BC8-8A33-6086-D402-00000000BC01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101659Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.984{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FB51EA7A869E1B92DE3859465FC3F5,SHA256=E9B2A4060B5A9D2D30AB5B8121FE488FE2B0398FF88BA18F50A21DE5645AD8E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090868Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090867Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090866Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090865Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090864Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090863Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-8A34-6086-D502-00000000BC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090862Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A34-6086-D502-00000000BC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090861Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.996{98176BC8-8A34-6086-D502-00000000BC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090860Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.527{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EBDFB322E95EC8F31F76E4D30521FB,SHA256=F7F6D441E712F0FB95CE2FE526912F2E2D8F3154694E0DD69EDDAC3B087EAEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101658Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.630{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=8A02DAE73A69FFCD75106F93CFB4DF1E,SHA256=7927E4FCB026C7715CCACFE4B99621E055000DDA4BDF5731D4800358FF77070F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101657Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.630{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=5D9C8B316ED49D862062617D2E996AE9,SHA256=4C287880CBDBBE2F481BCF190038E81B886E948EBCA29EB9961BA9F5FE9AA3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101656Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.630{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=88760128544327024C76CB96D9F5AD3D,SHA256=3033F4A9369AAF1C3349251119B8D38341B5B0A09626770ACBE00BF33F28E7E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101655Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.630{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=CF6E4018E488495541639D2A0C628BB1,SHA256=C9EAEED3D661378B83871D69B86B68603F9FFA9FCCD1CE9659F9262950D2F367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101654Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.630{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=30263F555A0B2AF1D25BFAA59BE0B3A1,SHA256=D4A97196890B116807E4EE02B67D0AE06A8BB428FF95B05C4DE0C889EE2AFBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101653Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.630{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=6F8DE7672026C123572BF66C9993EB7C,SHA256=44AF866907332F4B1422B4621415C3D7106ED2E0CCB20AC408B4CC988D089BC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101652Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.084{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A34-6086-1703-00000000BC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101651Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.084{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101650Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.084{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101649Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.084{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101648Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.084{3A00444C-7715-6086-0C00-00000000BC01}8363588C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101647Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.084{3A00444C-7713-6086-0500-00000000BC01}408384C:\Windows\system32\csrss.exe{3A00444C-8A34-6086-1703-00000000BC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101646Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.084{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A34-6086-1703-00000000BC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101645Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:00.084{3A00444C-8A34-6086-1703-00000000BC01}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090859Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.308{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6FE5B3DA8C94BBAA9699E84AE853FA8,SHA256=0BD963420E66BC31806C6D7BD85B15994799FA3721A3FFEBE23C8391EB134A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090875Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:01.558{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD75F3A920011C75F653750BB4926999,SHA256=D1EC1E44D676DC0215F8479572D2077486D9D38F9D50E6E339E84349F093D9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090874Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:01.542{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C6F8AE26A47C61286D309CB81E5313,SHA256=0BFF20E1B4E683FED6ECC93FE94859249CE2C9DD8991F3AD36F7E3018999C009,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101661Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:38:58.670{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57493-false10.0.1.12-8000- 23542300x8000000000000000101660Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:01.114{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99371D1199FB75EE15C1D65DAB32757B,SHA256=7DC62052D238279F8DA09C3E56F58841E82CE5337BADCB3EC061FCBC5B359EDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090873Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A34-6086-D502-00000000BC01}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090872Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090871Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090870Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090869Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:00.995{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000090878Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:02.855{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9CD21E4288AF7D17DF9BFB757B0A31D,SHA256=829E0692DBAE7A638A46F40465569A2A4F2916ABF1660420B21E4F6BC373C48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090877Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:02.558{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1553D2E85E5095015E03EDFF4BBD84,SHA256=F810C2757A25591C368A59577FE0E2B4A7B1C699C4C0040A9539C240030A93AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101662Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:02.049{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12613F3D8B85CE847DFA8397CC85F55C,SHA256=1C8FEBAC9048ED8CF97B7430A5756C1367613B85210A3F0913C3386660FE6DAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090876Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:38:59.978{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50736-false10.0.1.12-8000- 23542300x800000000000000090880Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:03.964{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1BB01401BD72C31EE619538DB3843C,SHA256=E886738DFDAA052E7F912CAB189F29E24E9F7BE9EB0F507203FF1275A6258BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090879Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:03.574{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C380312C6A11787A00B9FB5E8E584FFB,SHA256=6424D8C7A7F3E290FED34656A60D249D9BF7334F107FC5F8BDBE7C8227095D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101663Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:03.084{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7558CF6EA9C80EBC66A937D084EF933,SHA256=44A2F808062B53DC38D0C6062B049C68796D1C1A5245AC251D31793D0A5B4CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090881Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:04.605{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CA8FFBD02C2A9316AE7C9C0918456E,SHA256=6BC9935E68DD62CC9BF294A11DBBB1B2829A76002CB8C43D666BC3B5F2890BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101664Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:04.099{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20BF73436EA4B2E563B7DD21EA62C29,SHA256=020C9FAE610D0155BC5B4515E1F82B175B4CF11A0ED391CC8DA459429A4D230C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090883Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:05.636{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1705CF5E55809BD6733419E0A681B97,SHA256=30840FAE185F3BE1FFDCCFF673A9A0267E718687E5671828CB835386854C2FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101665Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:05.099{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B41D323B5D04850C1D5E9A87725381A,SHA256=4DB5FF7B2545D08597611F15FFCF9FA1EB7058AC2F36872FCE1EEE5F847DCC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090882Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:05.089{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63ACE0F48E769D563E0B8ED560BCEB76,SHA256=86E67D883E1EB04E4A455BB172D1FEC4B21C553ED5E9DCB6C386AED9414BABEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090885Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:06.652{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDD760BCA116DDBA506AFF092E9AA05,SHA256=262593C2E8C98C2E8D25061EA7B541CA82C4820A41817FA7F26CB2AB0DCD8806,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101667Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:03.701{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57494-false10.0.1.12-8000- 23542300x8000000000000000101666Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:06.100{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB8EBAE325B01C554546166AE0074FD,SHA256=A0CA88970E6A56FE6D509E8B57C4145B807781E97F27F17E951C49843DAE0883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090884Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:06.183{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=224C6301B9B5D04D71A103D9181FCA3C,SHA256=A437A7380B0D55FC7C442B629DB9BEBDD0F12F6AA2E7A88D157C9F23F207CA01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090888Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:07.683{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE0F73122053E207F3A0FE6FAB5EEFD,SHA256=0A70D288F9DA97C93B14C0AAD5E8881134AF574878F8478196FD777157F89A02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101669Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:07.968{3A00444C-7715-6086-0D00-00000000BC01}8966692C:\Windows\system32\svchost.exe{3A00444C-84EF-6086-4502-00000000BC01}2948C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101668Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:07.114{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B59EF2F8C893D9C62BAEA605EAA9F5,SHA256=DB5E8EF3F1891AECDB99F2057F3E0B965252D9BF6A723EDF9B53A01392B6D0C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090887Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:04.978{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50737-false10.0.1.12-8000- 23542300x800000000000000090886Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:07.371{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=063CC2A80B0C61614090F24F8A7A9F68,SHA256=C35BFD120E41C445921CBEB2CBF09A7633C5A798B524BF605958C146E4BAF868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090890Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:08.855{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C03790B2A473FF1D2A8724C73C577AA2,SHA256=2D9E1B45A29E88B9CF88F7601C4890E7801B88073E78FF69C0728C049AE6B8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090889Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:08.699{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DE6BE7A6AE040B135A3CD4B1B635DE,SHA256=6FB11DFEDFD953B410200F6F74FDD37F8FA30F7B5FB0C40F046EB8CD9CE6A17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101670Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:08.130{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8496C5902A07524B807FDAAE09C13270,SHA256=3B1AE35B40FE163EEEFE9885763F4C454F8D35EECEB972B69DA3ED023FFF08C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090891Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:09.715{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CD386F03847BD4ADC74703826CB9E1,SHA256=80FD4C96DF025A964F47CA0BD99B94575005F68C84E7B169087F9F71699E8130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101672Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:09.268{3A00444C-7715-6086-0D00-00000000BC01}8966692C:\Windows\system32\svchost.exe{3A00444C-7715-6086-0F00-00000000BC01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101671Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:09.130{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A74E91272D12CFDF456EDCC099EED69,SHA256=84139819480BAFC04166212283650080A231D6780E2DE9F71F118195AC9AA2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090893Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:10.746{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5CD67638468806649E1DB214DE6340,SHA256=C4A86E4DCD642E1E17D89F4EC4EBB9542A678AF894BFA9276C1C61B51C05D4CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101674Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:08.748{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57495-false10.0.1.12-8000- 23542300x8000000000000000101673Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:10.150{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D39BF3C170E2AA1C833D24A92911D3,SHA256=60EFD3FA8D551C2903E575510FAC0D2ECE4A975D828733C15AA4B224762CDFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090892Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:10.058{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ECCB540ABFC1F7F9856F5CEEDCBEBE8,SHA256=AD83975B8C3888BCA316CA51E23B4846AB6035EE13B9FB7154B8454B46C8D6FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090896Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:10.025{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50738-false10.0.1.12-8000- 23542300x800000000000000090895Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:11.762{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0EC05C4148EEF5341535163BFCFF46,SHA256=AD0902C5DE75EEBAC1D992E9DB40681EE5D03FE652B6B9A6FEFF3656CFA4A3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101675Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:11.169{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CE56592E251AE96416DC7A185B39B2,SHA256=6A3AE655A02270DA77248B7DDFCA540A5E4A687785D555C432B9283D977BC974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090894Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:11.121{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51BADB074768F91C5793EF261C698F64,SHA256=2A23900AA61C20F0573306184E08A87B91A69E82DA185701360F4CAA132EA96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090898Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:12.824{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDA7C310F8E1D60EF7A381856D9EF1B,SHA256=2483296A72C495DAEC03FFED5D8CE5392F376CBE25D0DF3673A1D235337D0AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101676Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:12.199{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7794846A1EAF2BE031A63A54570D2E59,SHA256=796D795D8F2A3CAA5CF14D7BD6B85F3A37383F9B9F8DCD2D021911046DB0EA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090897Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:12.262{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2511B1F3A618698930AFC93A7EEB3BD9,SHA256=AE59D77C843BD2A718F4AB16C1CDE9E50C9A8E86D1BCE6D83F977771FDE33415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090900Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:13.840{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245684E1A41FDDD340F8A23F249A1532,SHA256=D34ACABDBEAA120FE0B53B67980B34A2A0392A50168EEE29A155207EBC790C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101677Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:13.215{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD2D9F52F597B4B8A58FAA8AE74B384,SHA256=57102A60D821C6A1C0661C53693BF553EA50BE5E47F4E252D2C7E559D9235661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090899Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:13.527{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A19C694DF79D850BA6D7BF872EBD141,SHA256=5F651578AC85C4E23FA41488D2256C818A84FB4CCE3517F0147FC6E0DDF14458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090901Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:14.855{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6563BA9C135035AC4D3919B18ADBA3,SHA256=CE99DF206CC2B45CB4A623567F83F386C16781CAC5C048273F67ABCDD0E1AE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101678Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:14.230{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB18094AF4105CD73CD4421D58A94FA,SHA256=4B5AB2C359BB8D0C8E614E4C839CE8DFBA6A01EAB755206C3189726EA4A00449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090903Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:15.887{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDA6337FC448A01D02C7A762F4E3FDA,SHA256=63F1388837D869788704C070AC65A33D5042FBD74BC5A534A78A89DB77989DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101679Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:15.231{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673B52D34D01F2701D2B6F8409786734,SHA256=ACE659231AB5413AC5D3FE7461301EEC8560EEFF770144EACCFB8FFCF5320FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090902Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:15.074{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1B974C377B57AF618B2E065593D9D69,SHA256=8BD338ED95F2056C7D5C678C1A2885BAA309F04F215595F27D3324CEAF7169A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090906Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:15.025{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50739-false10.0.1.12-8000- 23542300x800000000000000090905Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:16.902{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437060D3AA8E663D70262F099D7EFE71,SHA256=E90BD262BFC590DE39DC277714A6B259959559872D85DF9459C48CAF7CEC999F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000101682Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-SetValue2021-04-26 09:39:16.584{3A00444C-7715-6086-1100-00000000BC01}476C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d73a80-0x0640a43a) 354300x8000000000000000101681Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:13.749{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57496-false10.0.1.12-8000- 23542300x8000000000000000101680Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:16.249{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601B797476017F7F738F26B9388A7719,SHA256=22EE1651EF0B34DBA95EAC22B22960FA739C6AF847C0D947D842511380175CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090904Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:16.152{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79A1533923B0952563CB5184EDAF9AE3,SHA256=6DE79979CEB4C083E5DF38468DD3B28ED6F446E00D97DDDB46159FD9ECF1383C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090908Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:17.918{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F18596F851DAF78D49425FC35F8F46C,SHA256=EC7737CF5571F71D7486760F8B62BC7505BFA6D8B4BB45255FD68E6920B11504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101683Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:17.274{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F047EAAA240C64D743F7462CB3C99F6,SHA256=7DD676EB753281032A907FE241264172D4BEADC6A82DCBE9E2E2040A86973DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090907Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:17.340{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3270F9529335649B2B50A5FDBBEAE2B,SHA256=E0AF6DB7B33193E94AC21ACA5BC8C822107C787B5B3C0DAD89251760DA10A9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090911Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:18.934{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97877648F66BAD4FAE75B805EF418DEF,SHA256=67982046AB654E3AFDBE034320A9F2D48EF3E65F393FF15EB15C8309FA2503F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101684Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:18.322{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D771B52333008E670D4CECF826EC06C4,SHA256=7D17D59BE434660F8B48C546527E37775A476088CE0F2EEBA6984156929F472A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000090910Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-SetValue2021-04-26 09:39:18.871{98176BC8-7727-6086-1100-00000000BC01}1084C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d73a80-0x079db350) 23542300x800000000000000090909Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:18.418{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF7A4CA3965D9F8114EE67EFC96C7C17,SHA256=C1BA53765F9CD42DF14398709B78EA70660DFD84898014AF88744B8083E53FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090913Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:19.965{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AAC9EF6A218C18C173F13D466336EE,SHA256=1C61D8EAF9CF8ABED07729F5BD200885A41A9D5DEE66646F863D5C1E1648903C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101688Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:19.892{3A00444C-84F0-6086-5002-00000000BC01}47324820C:\Windows\Explorer.EXE{3A00444C-8594-6086-7502-00000000BC01}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80024E648C8)|UNKNOWN(FFFFC4AB016B4A38)|UNKNOWN(FFFFC4AB016B4BB7)|UNKNOWN(FFFFC4AB016AF241)|UNKNOWN(FFFFC4AB016B0C0A)|UNKNOWN(FFFFC4AB016AEEC6)|UNKNOWN(FFFFF80024B7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000101687Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:19.892{3A00444C-84F0-6086-5002-00000000BC01}47324820C:\Windows\Explorer.EXE{3A00444C-8594-6086-7502-00000000BC01}5740C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80024E648C8)|UNKNOWN(FFFFC4AB016B4A38)|UNKNOWN(FFFFC4AB016B4BB7)|UNKNOWN(FFFFC4AB016AF241)|UNKNOWN(FFFFC4AB016B0C0A)|UNKNOWN(FFFFC4AB016AEEC6)|UNKNOWN(FFFFF80024B7BE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101686Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:19.892{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF4b0f93.TMPMD5=C99EE02EBFB64BDE6B873A56BB796C66,SHA256=C71E259F4C9B0D61592A2D077072B03E7F90454AA9B9A4CD017E3051F09C73F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101685Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:19.322{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA41FDF585FB78A1BF158CB4FBA70744,SHA256=CE3206B777BFB81BEF729AD90A25B1AD26B9922B8C8D57251DDB36F6DC765B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090912Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:19.699{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D4A14295BAA275685EEEAF9E32DB792,SHA256=537BC365ACE916BB427A459F31D0F9D1360221FB1B73C1F826C49A51226D5E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090914Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:20.980{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252F57928B6C6B1966A92434F712112E,SHA256=E87EEF253C638E43D27CC0C6D1B367CD2E8EFB52B3BA12589432839AF4D1D19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101689Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:20.338{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E18739740E41C6213DE35747C2842E3,SHA256=829CE13B76263B6244C02E817406833CF96BF77836CB20CAB91688EED80F8EE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101691Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:18.786{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57497-false10.0.1.12-8000- 23542300x8000000000000000101690Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:21.339{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DC758EBE10E0AFF743376B4218D960,SHA256=9313888586B2533971063807A153F0C450406B9477E9F4984FD7605E4D89A107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090915Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:21.168{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EDF951EAB18D4ADD67F946136624687,SHA256=F398BCA5DCAEDF6CF51032278341B440B69A233CD917067E479E378A1C52A0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101692Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:22.355{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CD009F8ED01268D99DC547321B16CC,SHA256=B6659DD3AB1E948F9B6519F477493A1F7CDE79F4620091E3FECBC35367E5C10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090918Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:22.355{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F07DF9BF33C34A38C6D897E76F5A7822,SHA256=D3AC64EB97FEF5AF0BD861EC19E6B76461CB577A6C63661798FF8F2703DE75EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090917Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:20.071{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50740-false10.0.1.12-8000- 23542300x800000000000000090916Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:22.011{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA4BFE5D2F3601B5031BD833BEB832F,SHA256=CB3B08F28AFC6F15C526A85F2F1137A337730A7CA6D83B75E7C15DA789626497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101693Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:23.376{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B072B9C91CD6BFB06D25E824D209472D,SHA256=7D9C58057F8A4A8483F558E995FD45FA6B8291590E816622BC543F67F536FC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090920Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:23.480{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CD69B6C5F78C9C1E1E483BFCDC0FD2E,SHA256=7EC33075B1FE1E5A218A2B5F872F37FA4905BA64184FA7ECA486653167F92016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090919Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:23.121{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96F010EAF564CA4389D038ACC8C032C,SHA256=E04003081C2087E4CAD5E5FDEB589564CDAF0C3320809BBE466DABF1896D3E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101694Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:24.376{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08874939B4F596338FE4C11A78DA4604,SHA256=4AF681B112DE71123AB9D648C0FC4E65C4395CA802E54998BDFB48380DA8F9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090922Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:24.589{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D3B5F4C42512BCAB56CCFA1A5D587F8,SHA256=C7F73CED6B9C85F2BE7E6AC6B4DF754D0D810A32847D435FA75CE6D486EC79AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090921Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:24.230{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B05D303B7A542A55529CB236C3F188,SHA256=B9D73C60068EC579581A43B05FC94FDFFE3221AC345985047839DC126002A1AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101696Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:23.801{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57498-false10.0.1.12-8000- 23542300x8000000000000000101695Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:25.391{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABE5FAEFBF7C3B1696193C17B1A28AC,SHA256=6C6FE6131D1CC895627155156457EB07FF2F6FA73655FA20EB42EA2EF71E4412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090924Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:25.667{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=998B8B2E848F5A1B5EEFEA9343B929D1,SHA256=E3E6869A2CBFE9B0B84C729DC72E8D7A1D5BB87E3AC66BCE92510FF317FFEFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090923Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:25.261{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D613C4D8C2B3703C2C055021D2AB4A00,SHA256=99D23A755AEFE938BF97124B8EE3BEB14ACC4A115EE3D77058DF595FE64394D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101698Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:26.391{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF1FE8100CC986AEB1BC6AAA942D647,SHA256=52A3987A836838E72D413C3F4602F424F20206B4AA43DAFF3590D78E88D9B553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090926Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:26.729{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CDD427B81C80DEAA4D5E5A63C25D02F,SHA256=672B8EEF658A18111B1FA1DC2BFD0EA12DA8E5EF0DF4824ADCFC1D0DE5CAE938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090925Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:26.292{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFACE5272AA5876D353036E875DAFDE3,SHA256=49BD36FABCBA7FA026FD4423725676DCC20990CE2A3C7A0FEC7DB02D21778D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101697Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:26.277{3A00444C-7715-6086-1200-00000000BC01}612NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D52696601B4E23A0D7DA0C5D4E8155CA,SHA256=BAA6D85EEA47DF5DB04358D38DAE1A8CA32665F3F53F6355AEF5E61F6DA88BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101712Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.406{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B61C4EF9FA431BEE96F5BE32B41FCBD,SHA256=6C13860E1082E5CC55ACE0B548FADBC4CC8FB46268D2297E3585E246696F2FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090929Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:27.963{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E770C8A7C1C23D0CADB0FE12110BE81,SHA256=2B13B3FDE69CDE34883196A8FCEBDD27C03CCD6BF80D54516E6686C135570321,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090928Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:26.024{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50741-false10.0.1.12-8000- 23542300x800000000000000090927Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:27.307{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BBEC133F26761D052DB76BC4476487,SHA256=FC81631391CF7C78967DADD970032D35FFE5AF60FF15BA45C219B24337776717,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101711Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.208{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101710Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.159{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101709Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.158{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101708Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.156{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101707Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.138{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101706Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.138{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101705Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.138{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101704Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.138{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101703Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.138{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101702Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.123{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101701Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.123{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101700Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.123{3A00444C-8594-6086-7502-00000000BC01}57401096C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7702-00000000BC01}4224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2ce60|C:\Program Files\Mozilla Firefox\firefox.exe+2c9b3|C:\Program Files\Mozilla Firefox\firefox.exe+40d40|C:\Program Files\Mozilla Firefox\firefox.exe+40a3c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101699Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:27.123{3A00444C-8594-6086-7502-00000000BC01}57404444C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7802-00000000BC01}4680C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+50791|C:\Program Files\Mozilla Firefox\xul.dll+2a6459c|C:\Program Files\Mozilla Firefox\xul.dll+2a64269|C:\Program Files\Mozilla Firefox\xul.dll+2a5f1cb|C:\Program Files\Mozilla Firefox\xul.dll+2a2a9c1|C:\Program Files\Mozilla Firefox\xul.dll+4f8e642|C:\Program Files\Mozilla Firefox\xul.dll+14bd471|C:\Program Files\Mozilla Firefox\xul.dll+14bfd8c|C:\Program Files\Mozilla Firefox\xul.dll+1079d4|C:\Program Files\Mozilla Firefox\xul.dll+3c82714|C:\Program Files\Mozilla Firefox\xul.dll+100751|C:\Program Files\Mozilla Firefox\xul.dll+3b6358d|C:\Program Files\Mozilla Firefox\xul.dll+107e51|C:\Program Files\Mozilla Firefox\xul.dll+3c82714|C:\Program Files\Mozilla Firefox\xul.dll+100751|C:\Program Files\Mozilla Firefox\xul.dll+3b6358d|C:\Program Files\Mozilla Firefox\xul.dll+107e51|C:\Program Files\Mozilla Firefox\xul.dll+180689|UNKNOWN(000000AFA03F3DFF) 23542300x8000000000000000101713Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:28.439{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA754B901B5F5ECCFDB1DCFD8B3C1AA,SHA256=1F3565C421EB3E04865AE3B27DC3014F4FBEDF89212EE28ACBD42A98A489473E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090930Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:28.323{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020C2C94DFF6F96C0F867CD8739F081F,SHA256=8847811E8B4F209003FDF799B23AE25F60BDD5E5A36B2CD1E840B1C90F8FCDCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101715Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:29.455{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6B069593B3ED8F4E00C7B1136E1B7F,SHA256=0CAEECC7EB66B06593752A23A02E54C86CCAD40201F076396A311F59EA1D6BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090932Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:29.338{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FA9B2E557A87B7BB056D5EC1DFA00D,SHA256=9609184400193EA3BC355ECC1FC15F8AC822A35F2543CE5DD1D1774D2A673145,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101714Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:29.138{3A00444C-8594-6086-7502-00000000BC01}57404444C:\Program Files\Mozilla Firefox\firefox.exe{3A00444C-8596-6086-7802-00000000BC01}4680C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+50791|C:\Program Files\Mozilla Firefox\xul.dll+2a6459c|C:\Program Files\Mozilla Firefox\xul.dll+2a64067|C:\Program Files\Mozilla Firefox\xul.dll+d96969|C:\Program Files\Mozilla Firefox\xul.dll+d8eb60|C:\Program Files\Mozilla Firefox\xul.dll+40981|C:\Program Files\Mozilla Firefox\xul.dll+1225bfe|C:\Program Files\Mozilla Firefox\xul.dll+11fdc4f|C:\Program Files\Mozilla Firefox\xul.dll+3fd3e|C:\Program Files\Mozilla Firefox\xul.dll+3cee48|C:\Program Files\Mozilla Firefox\xul.dll+3cdbbf|C:\Program Files\Mozilla Firefox\xul.dll+3a1f28a|C:\Program Files\Mozilla Firefox\xul.dll+3abc2df|C:\Program Files\Mozilla Firefox\xul.dll+3abd659|C:\Program Files\Mozilla Firefox\xul.dll+3f23|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c4a8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000090931Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:29.229{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F6758EC0485C51391EACC28A68E34E,SHA256=1B9584F4139701739AC93FB105C02E2CBBEA4A24C14A1618EC9142205D4C2F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101716Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:30.476{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4504822A3315F94B33F5507F9302D0AD,SHA256=367F608F711B94D8480CDDCABCF74514C64D2E42349341A8FA71FA34EF3EAD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090934Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:30.557{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A75068761CC5278062C821ADEF7A4F26,SHA256=9E8412258D69701B8C7DE7DAE5EDE76B60FB5C1962F787205C2FAB570AD45F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090933Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:30.354{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8645E58153E008A4A79F60FAE7EF59FD,SHA256=02D39FF2FB41C480C485E8FA709B6CAEF6AF8901953D31AD044F458C008AC2A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090936Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:31.682{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=149928B97CC8F44F77229DEF53127253,SHA256=ABD4206F551DF233CFC6E005C0F9934DE5063CBD5CCF034751EDC165E5A6604A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090935Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:31.385{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529F0E05954CD816D39AE9B39684E2CE,SHA256=1E6641BECF48D10A222F4AC6E74E3BBB1595E3322076433B33A93B65B60381BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101718Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:31.492{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E2EA4E09CC14BADCCD0D32ACF87DBF,SHA256=BFF851D5C2A6CAF26D5E4BD179E9D13798B1EB308EF6DE830F4FBEF812A7F68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101717Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:31.375{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=C2AFDF353741176CBF60CF0A1089BD62,SHA256=86DF139C0CAA82D631C749BBA4401ADE449D89E368880350786AE8A63814AD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101726Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:32.708{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=35FE695D67D864CEECDAD1F27923DA81,SHA256=1AD168DBD01099EFF0709465394E24A2DD661A1989A5402437EB5A23B4BA86E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101725Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:32.708{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=F884A3139AA7C042D43842BB7395D7E4,SHA256=314A798812059570BF92CF8756B4722A8ECA9AFD6D7B51B064B93ACA797FFCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101724Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:32.708{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=D76B26C336938884CE55C366E9566FB5,SHA256=5D1FAC00818643903D9F32911BEFB40D5D45F0AC7F9978C08695AFA8C2A6E1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101723Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:32.708{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=5F76B439FF57525769185B3BE39D295E,SHA256=640DF68CA464F515A670DF6BF12381A9F184FA1E2D6DD5C7267E6A4478CCA0EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101722Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:32.708{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=C10D32F128E28F7244EF123191771A63,SHA256=6145DDBB655BF68B1CBCA06DA1B8194BFB17B401E19B2EF065F48B50D1E4FD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101721Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:32.708{3A00444C-8594-6086-7502-00000000BC01}5740ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q5ew7ppb.default-release\datareporting\glean\db\data.safe.binMD5=BFB0CAABDCCBCB538EC20D91D2693743,SHA256=00E399326BA5DF9E70E97C950D6EDB5473030DAED248DE7AE6459513ECFD561B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101720Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:32.492{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101E582A554947D57E77DC16B7C57C3E,SHA256=00481F4502DEEE8BF8790CED977D5D06B46D140A8DAA3B480E00C0E81CCAF472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090938Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:32.822{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=448365C89912994B569E846685CE1257,SHA256=B6DCD876FF5758A274D18578C92BEEC972223454D117146A73B9491AB989AC98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090937Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:32.400{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B214137EA33B11B6F65FF96BF76D06A6,SHA256=56B970EFBC7D7F851B0622E1F457282075CB439764DE6E50FCFEB4F46AD04252,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101719Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:29.633{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57499-false10.0.1.12-8000- 23542300x8000000000000000101727Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:33.507{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C65C7D156F6C824A27CA010C75DD9F,SHA256=36F13B91CA50B54113195AFEF7F6859102299856A1EE1DD9E802055EC11F48AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090941Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:33.994{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D59E1E35931102A9D79C9DD033F8BE4,SHA256=292F51C8A1DAB48C725A9A6F492B7F24313368DB808F185CF18D17417D029FA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090940Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:31.961{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50742-false10.0.1.12-8000- 23542300x800000000000000090939Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:33.447{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F137F6DF1AF2C1EBD6587FE250A4C9AE,SHA256=93FE35130923AD951A955E5710021DFCAA61E84CEF1D30207A3C28EC44112E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101728Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:34.507{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993726C54797D2435D5C069B519E6FEC,SHA256=F5E78760AD30BD7F40689AA5D4D73F9C27BFB74E5C067D2DA2AC3434379D817D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090942Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:34.462{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A1351D8C8FF517A5065B956BF47DE6,SHA256=4AB724247C26D4A16249BB8C409CC190E14FA5F4568E1E10BC7EFBD9470DDE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090944Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:35.509{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B035EB5AC8CF51354AF51DA2FB60E319,SHA256=72737925AEFF9DB3A9558C57382BA5DB563C6A39216F28BC2E7B2B6F39A65C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101729Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:35.538{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7E9C7D7DBF4E0926BA916D265FD051,SHA256=3A93DB251D27C9795486CD8154A17298E2D8F31ADAF15BC0042CEFB64B5E47EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090943Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:35.181{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F5D8CB72E92A158B6CF787F1F6E48BF,SHA256=DF3755DF57D6D22C61CA1D9A0743DDC375C27636564AD8CA07478AE75E2A3EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090946Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:36.540{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7887346630654F722D2F6DDF8D68E7DB,SHA256=4B32C6CFF3604B7D0CDBCC59A88F014BB53C62507BD1386C353E73DE4D483FAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101731Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:34.671{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57500-false10.0.1.12-8000- 23542300x8000000000000000101730Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:36.538{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5F6800DC76152C3ECC33E860AE961A,SHA256=BDB1B5BCACBDDA9F9ED23FDD7B9F83747FF0DDA57F45C5593B5D9AB331641F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090945Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:36.478{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2741E1B6EE03C09225A279528192AF22,SHA256=5404BB00761ADE344F7DAECF84CD417B35B5C51E51BDAD5050C064D1C8D0FCD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090948Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:37.821{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4294425C111CFFC2AC7874C41229BF2,SHA256=977CB932757D6934A1E1E2F31CDFB2F3CFCCAA509B06E1EE0FD5D5CCEC6F1272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090947Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:37.556{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44094FF9723E3E8772D3AD1C0DE77FA,SHA256=6E535B70951443E341B13C3D87212D02B3182817D70517B8CC6A64A0C006C273,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101767Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101766Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101765Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101764Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101763Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101762Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101761Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101760Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101759Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101758Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5202-00000000BC01}4968C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101757Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101756Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101755Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F1-6086-5302-00000000BC01}5076C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101754Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101753Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101752Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101751Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101750Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101749Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101748Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101747Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101746Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101745Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101744Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101743Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101742Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101741Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101740Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101739Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101738Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101737Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101736Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101735Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101734Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101733Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.607{3A00444C-7715-6086-0D00-00000000BC01}896916C:\Windows\system32\svchost.exe{3A00444C-84F0-6086-5002-00000000BC01}4732C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101732Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:37.556{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F5F61FAC9F47B1728D91E46DCC1F42,SHA256=250F3E19017FD06F718564E5F8080A2E0BFCA14F7845E18FC0D5C9C7B94A4B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101768Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:38.792{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B48A9A32DA4788BC1472ACE5EDCB44,SHA256=F9B67C3C24728575B52C73BD1C3D2C13FB7DCF7A745D4561913636D5E671E120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090950Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:38.962{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE9D587EE7F44C2ABB5247C0BF7AC3B3,SHA256=226B764AD3E16533E429632F09D20D7F22012FFFF90974D1D2166E1FDC3C05B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090949Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:38.602{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E7C5C15A0FDBCB87E77E78F2A35134,SHA256=DF71B2E527598EFF56858E2067C284EB32B15AC4E084B2C263F4AAD540211EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101769Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:39.792{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6023C764F4A3B14F332486FB824A53D8,SHA256=5DF1A70772693F59254BC0043A3777498E595ABED5A17858F8DADAC7081B46A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090951Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:39.680{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC4C202D010529466D0C4785400B131,SHA256=ECB8B90F56AE988E0F4A09FFED31E2CE8DD1CFBEC54A3477691BBF6DE5555D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101770Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:40.792{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF29067A19F1CC02FFBB9F07A4AA5BCD,SHA256=11291A8F5C5A7EDFE4FFCA8F92A6C739D04C78925F4907595921F64E0924D3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090954Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:40.727{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D52ED37D964261D4309C26E7018381,SHA256=561FC7C53DC00E4E4C2CD19B43D3EB5611ACB363AD84144EC9F8147AACAFF1AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090953Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:40.102{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483FCCE02B137F16569D2F5EBEC97191,SHA256=B5F59BEC1863458757B4817CF9A619F6404D38A5B8115AE726B608550BF80D66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090952Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:37.930{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50743-false10.0.1.12-8000- 23542300x8000000000000000101771Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:41.808{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4715FF679E8080700207A04EDCEF63A9,SHA256=3219D0EF1FDC975C1667F1B8300FF9F752EBDDE50FFF2A5E2DCC21EBAA9FB1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090956Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:41.774{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4122AC571B09B64CB77627661B5527C,SHA256=B683361F9ADE341306FFF9A61049F9E776494CC124F669BA63ED2AA124B1A595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090955Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:41.336{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69C18E6E4AE678C20EC4D89E47C45BD7,SHA256=BB38EF80F76BD5C3CA2624C5767ED5765225F222800806860A9C1356EC41ACBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090958Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:42.805{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D901D782047B4C3E046B2E64CBE778,SHA256=38AFE51041DA6CDBA0A260FC1EFE3B0B53733D8D97DE2DB8EBA121227F9116E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101773Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:42.838{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4DBC3632D8E7FBB5016D6CDBE5948A,SHA256=7E46257478E0BA951162E8B8E99E76E5520377FDE6DD4E430FD44EB0B0FB5846,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101772Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:39.686{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57501-false10.0.1.12-8000- 23542300x800000000000000090957Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:42.695{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5165A884B0F5B4AC6AB7EFE3B7AECF0C,SHA256=B632BFA4F6AE7961AFF99932DB56158F1DDE6DCF9BFB7896EA32CC5B80C3C364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090960Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:43.945{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F822C52F3ED01EBEE78A2C548E6F6F9,SHA256=FAA0D61EAB07A382D21813923A6DADF36C2AC10230750F5C65B7304FE84F70F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090959Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:43.867{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E8C45AA84139F31C7F0385F6F3D146,SHA256=32BAE8E0C3184C75591B933E7484A5AEF0DF1508C5E232BD4642A21617C1B043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101775Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:43.838{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F9D5FF019489BE8AFD5BB9AE0236A7,SHA256=BDCE0D015F56E509636E14EB5F946D69CE9C9351A3B89CA7EAD65732A7A887EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000101774Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:43.176{3A00444C-89E5-6086-0903-00000000BC01}1388C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_a0f347da-863a-44b3-a1dc-0947faebb075_Untitled1.ps12021-04-26 09:39:43.176 23542300x800000000000000090962Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:44.898{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1471AB1ADCEDE594EF267685CE703E94,SHA256=10A7426B7ADE49694936D152856E62D0005D0F06033D3B6EE8DC1236771A928F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101776Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:44.839{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9363157EEBB376A4F2FD89AF30241933,SHA256=89699E1FBE8E2BF6C4F7C2A57B3F2FBE72A2DA1FAD44C384587298F44B9743EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090961Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:44.336{98176BC8-7727-6086-1200-00000000BC01}1096NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FCA2A16CF456E8961E1560CB26DA5173,SHA256=48F210B860D21E8FB7B61D79D8B3E71AD4A9B0E37092A2217054E2284E599E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090967Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:45.961{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3A38AC950CFBAC7E1D9A8227DAE1D6,SHA256=1C9CD9E44929DCCCBBACABD4DC2F96B70DAAD14D41A0C5CAFD0470595D094077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101780Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:45.877{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35E66AB9733277BD4F17DCC29731C06,SHA256=A3AD223D33075E5B1DE6B5108DF0E7D93EF0605BEF9E2D4229BDC3A4E7BAF4A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090966Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:45.914{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1600-00000000BC01}1472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090965Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:45.914{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1600-00000000BC01}1472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090964Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:45.914{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1600-00000000BC01}1472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000090963Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:45.164{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B77F724DEE736AAE1827A63B709983A,SHA256=ED153379777AF1676704590DC438537FC736BD143305D3FD0D4A1BB6BCA8B528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101779Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:45.139{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7715-6086-1600-00000000BC01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101778Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:45.139{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7715-6086-1600-00000000BC01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101777Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:45.139{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7715-6086-1600-00000000BC01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000101782Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:44.702{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57502-false10.0.1.12-8000- 23542300x8000000000000000101781Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:46.908{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A53E81FD3726CE67F1CE0A1366684E,SHA256=83B9204C7E86CE7D32D2602B2C168E791739CDED372669B981733164D48C70FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090970Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:46.976{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8747F4BF34249202AA6FBE3D9D7475,SHA256=533782125D0E82CDA13B5AF5C6480571FB82B94C4AC80E52D8FF900859FF3C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090969Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:46.273{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=962C7F3ED4B42A9451B4003C6C715667,SHA256=B987C577E1E3513B4330DF7A072C606E7DB0211CBEB4FA5875197F3CAF06248F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090968Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:43.883{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50744-false10.0.1.12-8000- 23542300x800000000000000090972Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:47.991{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36927EE78BF76C8789DD3377E33C1AFE,SHA256=F503FD9349D118C4F74EF8013354B994E5667D5BE01141DEA0C343C98D8B27FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101783Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:47.908{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B7CD5F558DAAA5D4F8A14C9986EFD9,SHA256=A872CFF20FF4B65845190C374AC01F633BEBE04C45E5A99F501C01C04D84FF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090971Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:47.367{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D34640EEB8C231799EA30BD61B41EAB,SHA256=C50E9207C7D846728CEB86A68465FD0906195AB8D0E6FDE4CA6831F0F1533E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101784Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:48.908{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F677CFB3CA0990943B84440F71DA85E6,SHA256=BF611C3A9E2E4B5450934C91620D9F1961B36C2E5AB1EAFAE5744AA28C7E86A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090973Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:48.538{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B11B9BAC7BFEB9BF335DB3DCE3CBA2F2,SHA256=6545D7735EAD076A6AC4B9D09F294C423F8556316CC41236D5A95DA9C56D9383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101785Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:49.908{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6C27C3FF41FEA1737F38D9A6226050,SHA256=C88112F0DA576F331BEB6A76971E24462F853CFA52C3D92154824E4E4CC91940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090975Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:49.835{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19C285E24D17EF8E8E7E8DE99FD5AB39,SHA256=EFD48A211B26222E0890F48B7160FA1DE0B137C2A18784D395CA9D1C32AF74B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090974Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:49.226{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B31BDD250147375820BD24EFA63BAA,SHA256=AA100AD6F1199A149277A95BF59A47ABA15572BE95664C85CDCF0AD8044CAC29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101786Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:50.924{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABE0918E6E52985DDAB301042825FCC,SHA256=7F0B7160DE5AB522540B7B149D4328D4AC214BCB14029C3DCA1140C905E2EC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090976Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:50.241{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB5E05A6CF66A907F145BF1A9F0F96C,SHA256=A4E35E4581382DE8343C0FD969DE14B49DFDC6CA31180592BAD4B3DC7DD21B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101787Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:51.924{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231C6F1EC02BC45BCCC11632FC43F533,SHA256=94FAB309837C5410E6A7DB3B416F89D6CBB2F23BCE29E712CEDC9C431F47C074,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090979Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:49.008{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50745-false10.0.1.12-8000- 23542300x800000000000000090978Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:51.272{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C8AC8FA91ACED9BCD08307BAFC7CE7,SHA256=9E2F17704B9917A447DF69C0C901321870D213560A805629E7F37E68EDFA21C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090977Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:51.100{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B258216AD0576AD4B06F5D0FE4AEA9E8,SHA256=C0D7E26B5397143C78B1D90ECA84CD1F6719C05BD91FE277024DBE9F2A08B42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101798Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.992{3A00444C-7725-6086-2C00-00000000BC01}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C81FA1D267D8190DFD394F0C6EF1C409,SHA256=8799B118458B61BC2BE2C7CCE01ED0BF8DEE56258AADF3EC25E977922F694BDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101797Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.939{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A68-6086-1803-00000000BC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101796Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.939{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C894C78152DA0B9F7E750C0A1849431F,SHA256=C5809C87B37D6043380B5351469F338537A20B2FBDEA55A57EFA9B3F40FDBDF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101795Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.939{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101794Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.939{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101793Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.939{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101792Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.939{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101791Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.939{3A00444C-7713-6086-0500-00000000BC01}408524C:\Windows\system32\csrss.exe{3A00444C-8A68-6086-1803-00000000BC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101790Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.939{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A68-6086-1803-00000000BC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101789Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.940{3A00444C-8A68-6086-1803-00000000BC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090981Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:52.491{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96A046E3B7D956C7BB9E94FEB9CBF5B3,SHA256=6F8232E326203A679CF5966CC39C2A2BBABB47B6397A27EE14C5B5283D57CEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090980Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:52.303{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C773FC6DE65C5620D51E08E749E47C,SHA256=BB9D02DC342A399207567F23809B1105740B3FE5BFA9AB73AB98FD9EC5E37830,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101788Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:49.733{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57503-false10.0.1.12-8000- 23542300x8000000000000000101809Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.976{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D589ADF33BE4748715B68DF2973947,SHA256=6F77219E82182DC86B014A14B1084C42C50C535A2C1B8313E04A7AF7B11323C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090983Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:53.709{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2650788D40A7012022A60F493010734,SHA256=5489EFF423B945267FDCDB65D5FAA6E57EEC4A3D6D0AD43FFB4FFC4CE4585DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090982Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:53.413{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A06A569F958ABA2AFBB996DBE9FB548,SHA256=ACEF85C19D77B261E7201B29769BFCB75873333E7AA4FCF0E449B65237399B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101808Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.958{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8593A20CA47B15F6C4429866138D6CCF,SHA256=4EB3AADCEA9F19B34118A73DC865D72B265FF33E543F46EF47C2CDDC5217B7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101807Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.958{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1886E350DA24237A7671AA85C268759F,SHA256=6ADD975983EB55C559AB9BC3DD6F43823F9BC8F3235E18C21107235205014FEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101806Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.607{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A69-6086-1903-00000000BC01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101805Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.607{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101804Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.607{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101803Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.607{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101802Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.607{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101801Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.607{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-8A69-6086-1903-00000000BC01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101800Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.607{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A69-6086-1903-00000000BC01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101799Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:53.608{3A00444C-8A69-6086-1903-00000000BC01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000090998Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A6A-6086-D602-00000000BC01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090997Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090996Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090995Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090994Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090993Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090992Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090991Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090990Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090989Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090988Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7725-6086-0500-00000000BC01}628904C:\Windows\system32\csrss.exe{98176BC8-8A6A-6086-D602-00000000BC01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000090987Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A6A-6086-D602-00000000BC01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090986Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.897{98176BC8-8A6A-6086-D602-00000000BC01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090985Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.881{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6028FF736F34120821A6976DAE6DF77F,SHA256=33E1D11EE4A56D5B1A817793468FD797A4059F46CED6F5491E9EFB1911DCC4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090984Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.428{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803CC9C349189EE413310E6CCA1D60CC,SHA256=13C040F8A18679B312757FEDED5EEB4038693C047CF3E44F7E1DED430BAD1F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101819Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.408{3A00444C-8A6A-6086-1A03-00000000BC01}65402588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101818Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.277{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A6A-6086-1A03-00000000BC01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101817Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.277{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101816Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.277{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101815Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.277{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101814Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.277{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101813Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.277{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-8A6A-6086-1A03-00000000BC01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101812Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.277{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A6A-6086-1A03-00000000BC01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101811Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.277{3A00444C-8A6A-6086-1A03-00000000BC01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101810Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:52.586{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57504-false10.0.1.12-8089- 23542300x800000000000000091014Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.943{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFE7C0FA38B1D8D67AE8E5B65E0B0C3D,SHA256=27151CCB8B02335D389379E8011526EA9F96CCC67B3D0552C19629B5DEA8C712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091013Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.553{98176BC8-7727-6086-1E00-00000000BC01}2120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C81FA1D267D8190DFD394F0C6EF1C409,SHA256=8799B118458B61BC2BE2C7CCE01ED0BF8DEE56258AADF3EC25E977922F694BDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091012Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A6B-6086-D702-00000000BC01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091011Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091010Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091009Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091008Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091007Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091006Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091005Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091004Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091003Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091002Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-8A6B-6086-D702-00000000BC01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000091001Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.522{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A6B-6086-D702-00000000BC01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000091000Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.523{98176BC8-8A6B-6086-D702-00000000BC01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090999Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.459{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDBB8E8B35F71999F2215B53EC06FED,SHA256=0E9AB023042DF37FB130C7D4DABB314FDE358C5AF061055B21851FC5CF114B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101821Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:55.307{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8593A20CA47B15F6C4429866138D6CCF,SHA256=4EB3AADCEA9F19B34118A73DC865D72B265FF33E543F46EF47C2CDDC5217B7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101820Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:55.008{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AC662BAB0BC5640C638FA7F184457B,SHA256=2ABC8650FFA384A906BA6E36A2D7D7714D65E79B01F75986D9475CF712B7039E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091030Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.771{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64F5581EF48F18B3207EBD7AE5EF23B,SHA256=B1D715676D7556C99255AECA0624C4BB3732000757035D74E0435318565DBA43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091029Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:54.945{98176BC8-7731-6086-6500-00000000BC01}3848C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50746-false10.0.1.12-8000- 23542300x8000000000000000101832Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.739{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9802FDB35D9616D0971F3662885E427,SHA256=967D805462FCBD9B0BE726C9C6106BA77132BF82B64A702F9D96CCB9AB5C3103,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101831Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.561{3A00444C-8A6C-6086-1B03-00000000BC01}57801620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101830Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.423{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A6C-6086-1B03-00000000BC01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101829Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.423{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101828Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.423{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101827Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.423{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101826Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.423{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101825Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.423{3A00444C-7713-6086-0500-00000000BC01}408424C:\Windows\system32\csrss.exe{3A00444C-8A6C-6086-1B03-00000000BC01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101824Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.423{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A6C-6086-1B03-00000000BC01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101823Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.424{3A00444C-8A6C-6086-1B03-00000000BC01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101822Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:56.039{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710E04CF5874457CF614203557ABD268,SHA256=26FFCEE0DE12372E03ABF053C63B4447ECA9499CA8754155319BE2B2C27DD8A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091028Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.287{98176BC8-8A6C-6086-D802-00000000BC01}13163800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091027Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A6C-6086-D802-00000000BC01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091026Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091025Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091024Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091023Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091022Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091021Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091020Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091019Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091018Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091017Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-8A6C-6086-D802-00000000BC01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000091016Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.146{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A6C-6086-D802-00000000BC01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000091015Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:56.148{98176BC8-8A6C-6086-D802-00000000BC01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000091047Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.896{98176BC8-8A6D-6086-D902-00000000BC01}1580920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091046Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A6D-6086-D902-00000000BC01}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091045Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091044Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091043Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091042Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091041Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091040Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091039Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091038Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091037Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091036Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-8A6D-6086-D902-00000000BC01}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000091035Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A6D-6086-D902-00000000BC01}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000091034Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.756{98176BC8-8A6D-6086-D902-00000000BC01}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000091033Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.615{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE6637B18CDE7E9FE9FE0F840F9F5C7,SHA256=9A52B448830C4E6E672BC7C50DB0F3CF24B6F6D5EF4BD66AF9537C34B4878917,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101845Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:55.317{3A00444C-7713-6086-0B00-00000000BC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local57506-true0:0:0:0:0:0:0:1win-dc-841.attackrange.local389ldap 354300x8000000000000000101844Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:55.317{3A00444C-7725-6086-2800-00000000BC01}2880C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-841.attackrange.local57506-true0:0:0:0:0:0:0:1win-dc-841.attackrange.local389ldap 354300x8000000000000000101843Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:54.749{3A00444C-772F-6086-6C00-00000000BC01}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-841.attackrange.local57505-false10.0.1.12-8000- 10341000x8000000000000000101842Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.239{3A00444C-8A6D-6086-1C03-00000000BC01}68684304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101841Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.107{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A6D-6086-1C03-00000000BC01}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101840Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.107{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101839Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.107{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101838Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.107{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101837Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.107{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101836Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.107{3A00444C-7713-6086-0500-00000000BC01}408384C:\Windows\system32\csrss.exe{3A00444C-8A6D-6086-1C03-00000000BC01}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101835Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.107{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A6D-6086-1C03-00000000BC01}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101834Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.107{3A00444C-8A6D-6086-1C03-00000000BC01}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101833Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:57.075{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A1E99BF238AC40C76CD33F758CAB75,SHA256=27712157859E74D533122F81130CEC02DB278DDB24A1EACA77EB540E4E3CBA4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000091032Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:55.351{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-347.attackrange.local50747-false10.0.1.12-8089- 23542300x800000000000000091031Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:57.162{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D1BD0FFA05DD44C20C5147B05656B6E,SHA256=726703446183926B26B706EA2279B2F037FE77CF95E0ED2C79B5D3A8F4AB196C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091063Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.896{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08E8FCD0AD7597D2B48C39C6630903B,SHA256=3627DF2DADF40498A5FF24B8A8F68B1BF85A29A26D4B25AA3FED5FA2C915372C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101856Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.191{3A00444C-8A6E-6086-1D03-00000000BC01}42366880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000101855Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.108{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=112CFEB6A303D264BE5A17E75784B2A0,SHA256=0812E44C589E5695E882CCA27B0A88F86D0B85B2A2B8676D06B49FFC045FB524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101854Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.077{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569141DFABCD35C1BB944D3E451AFA4E,SHA256=CEE499A7D6F687D662B5281479ADE524672657C0479DA672D9995C209049F66B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091062Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.552{98176BC8-8A6E-6086-DA02-00000000BC01}15722848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000091061Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC112F936A8C0D7FF4E098CD843287C0,SHA256=F75B93E6C12610B7FCC2EC3B743FECC863F71B917A3A432F72E3190068146DFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091060Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A6E-6086-DA02-00000000BC01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091059Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091058Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091057Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091056Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091055Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091054Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091053Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091052Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091051Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091050Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7725-6086-0500-00000000BC01}628744C:\Windows\system32\csrss.exe{98176BC8-8A6E-6086-DA02-00000000BC01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000091049Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.427{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A6E-6086-DA02-00000000BC01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000091048Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:58.428{98176BC8-8A6E-6086-DA02-00000000BC01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101853Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.059{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A6E-6086-1D03-00000000BC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101852Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.058{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101851Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.058{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101850Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.058{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101849Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.058{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101848Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.057{3A00444C-7713-6086-0500-00000000BC01}408384C:\Windows\system32\csrss.exe{3A00444C-8A6E-6086-1D03-00000000BC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101847Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.057{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A6E-6086-1D03-00000000BC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101846Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:58.057{3A00444C-8A6E-6086-1D03-00000000BC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101857Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:39:59.107{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E8A9EF5E82167E1C311F7049363F57,SHA256=CA2A3FD4EC38751A1112D37A8390B5DACB6CA5010150F85A120B3D0D73D21940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091078Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.443{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3FBE046DF3B60D1C65C184E048586D0,SHA256=BC9BB00BC7B353EDF42E84296CB576D2C1A0CF8B83EFEB9AFC48C4BD8B7D9FF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091077Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.224{98176BC8-8A6F-6086-DB02-00000000BC01}10482740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091076Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A6F-6086-DB02-00000000BC01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091075Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091074Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091073Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091072Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091071Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091070Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091069Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091068Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091067Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091066Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7725-6086-0500-00000000BC01}628644C:\Windows\system32\csrss.exe{98176BC8-8A6F-6086-DB02-00000000BC01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000091065Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.099{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A6F-6086-DB02-00000000BC01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000091064Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:39:59.100{98176BC8-8A6F-6086-DB02-00000000BC01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101866Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:00.108{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E372D19FCC0FEC546E9D87B76C2148,SHA256=7EB08C7B4C31D8E6AAEF9181007FDCB8DB0AEB4A7619A17F352430738E5BCA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091080Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:00.568{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56B64D02D59185DBF413B0DDD6B424CB,SHA256=75CAE395928FE94C5EB6BD2CC4CDBA29A1DDDAD7620E2FC37FD38AA275478B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000091079Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:00.083{98176BC8-7739-6086-7000-00000000BC01}1852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582E2324F64C4C73761B0DE9A9197C2F,SHA256=FF3FE0CF8959C72375E17EFA07039EDA37A4BD63DA0B8A2AC930758ED00FDF69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101865Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:00.092{3A00444C-7726-6086-3700-00000000BC01}33403360C:\Windows\system32\conhost.exe{3A00444C-8A70-6086-1E03-00000000BC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101864Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:00.092{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101863Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:00.092{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101862Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:00.092{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101861Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:00.092{3A00444C-7715-6086-0C00-00000000BC01}8362760C:\Windows\system32\svchost.exe{3A00444C-7725-6086-2600-00000000BC01}2864C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101860Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:00.092{3A00444C-7713-6086-0500-00000000BC01}408384C:\Windows\system32\csrss.exe{3A00444C-8A70-6086-1E03-00000000BC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000101859Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:00.092{3A00444C-7725-6086-2C00-00000000BC01}29403548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A00444C-8A70-6086-1E03-00000000BC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000101858Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:00.093{3A00444C-8A70-6086-1E03-00000000BC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A00444C-7713-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3A00444C-7725-6086-2C00-00000000BC01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101867Microsoft-Windows-Sysmon/Operationalwin-dc-841.attackrange.local-2021-04-26 09:40:01.107{3A00444C-7737-6086-7500-00000000BC01}3120NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FFB06EA361A86BA7D8E35953A2A1232,SHA256=A74DA9E30AE95A5B95B11429E2089BE6F7D726DAA508518B7BA9659FD2586D4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000091093Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7728-6086-2B00-00000000BC01}24762052C:\Windows\system32\conhost.exe{98176BC8-8A71-6086-DC02-00000000BC01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091092Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091091Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091090Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091089Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091088Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091087Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091086Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091085Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091084Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7726-6086-0C00-00000000BC01}940988C:\Windows\system32\svchost.exe{98176BC8-7727-6086-1C00-00000000BC01}2056C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091083Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7725-6086-0500-00000000BC01}628904C:\Windows\system32\csrss.exe{98176BC8-8A71-6086-DC02-00000000BC01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000091082Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-7727-6086-1E00-00000000BC01}21202456C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{98176BC8-8A71-6086-DC02-00000000BC01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000091081Microsoft-Windows-Sysmon/Operationalwin-host-347.attackrange.local-2021-04-26 09:40:01.021{98176BC8-8A71-6086-DC02-00000000BC01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{98176BC8-7726-6086-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{98176BC8-7727-6086-1E00-00000000BC01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service